Watchdog: Government cyber defenses lag as attacks evolve

Legacy IT systems continue to limit the overall effectiveness of other cybersecurity solutions, federal CIO Suzette Kent told lawmakers at a July 25 House hearing, but she said the administration is making progress. A report to the president on IT modernization included 52 tasks for federal agencies, many of which deal with cybersecurity. Kent said 37 of those tasks have been completed, with the rest due to be closed out by the end of the year.

But Kent also noted that the deployment of detection tools was behind schedule.

"There was a milestone set for deployment of [Continuous Diagnostic and Mitigation] tools, we have not met that milestone ... for agencies to have implemented tracking capabilities so that they know what is on their network," she said.

Gene Dodaro, who heads the Government Accountability Office as comptroller general, told the House Oversight and Government Reform Committee that efforts to modernize, protect and defend U.S. IT infrastructure is not moving nearly fast enough to keep up with the evolving cybersecurity threat landscape.

Agencies are still sitting on more than 1,000 unresolved GAO recommendations that have yet to be addressed, Dodaro said.

A new report by the GAO breaks down the major cybersecurity problems facing the government into four buckets: protecting federal systems and information, protecting critical infrastructure, protecting privacy and sensitive data and establishing a comprehensive governmentwide cybersecurity strategy backed by independent and effective oversight from Congress.

In 2017, federal civilian agencies reported a combined 35,277 security incidents to the U.S. Computer Emergency Readiness Team, including instances of phishing, web-based attacks, theft or loss of computing and media devices, unauthorized use of government systems and other attacks. Thirty one percent of those attacks were from unknown vectors, something Dodaro called "concerning."

Kent said the problem is "as much a people issue as it is a technology issue."

With currently more than 15,000 unfilled IT jobs in the federal government, she called on the committee to continue exploring policies and methods to expand the federal cybersecurity workforce.

Efforts are underway to identify and code IT and cybersecurity positions to identify critical areas of need, something that could lay the groundwork for further action by Congress or the executive branch.

Rep. Will Hurd (R-Texas), who is working on legislation to create a scholarship program to feed private-sector cybersecurity talent into the federal government, told FCW after the hearing that he was initially told the coding process was due to be completed in April. A GAO report last month found that 13 of the 24 CFO Act agencies charged with identifying and coding cybersecurity positions still had outstanding tasks to complete related to the effort.

In addition to a dearth of talent at the entry level, Kent said that vacancies in top IT leadership positions was also contributing to the problem.

"In many cases we still have almost a 25 percent gap in the number of cybersecurity resources we need across federal agencies … and particularly we have some gaps in leadership," said Kent.