GAO: 'Urgent Action’ Needed to Address Nation’s Cyber Challenges

The risks to the IT systems that underpin the nation’s critical infrastructure “are increasing,” upping the odds of a successful cyberattack, according to a report from the Government Accountability Office.

The report identifies four major cybersecurity challenges and 10 critical actions the federal government needs to take to secure the nation’s energy grids, transportation systems, dams or financial institutions, but it takes a dim view of the government’s past actions shoring these systems up.

Over the years, GAO has made over 3,000 recommendations to various agencies “aimed at addressing cybersecurity shortcomings,” but only one-third of them have been implemented. Information security has been on GAO’s high-risk list—programs most in need of transformation—since 1997, and expanded to include cyber critical infrastructure in 2003 and protecting privacy and personally identifiable information in 2015.

“Although many recommendations have been addressed, about 1,000 have not yet been implemented,” GAO wrote in a letter addressed to the chairs of the Senate Homeland Security and Government Affairs and the House Oversight and Government Reform committees. “Until these shortcomings are addressed, federal agencies' information and systems will be increasingly susceptible to the multitude of cyber-related threats that exist.”

The meat of the report revolves around four major cyber challenges: establishing a comprehensive cyber strategy and performing effective oversight; securing federal systems and information; protecting cyber critical infrastructure; and protecting privacy and sensitive data. GAO also includes critical recommendations agencies must take to address each challenge.

The risks to the systems that comprise the nation’s critical infrastructure are compounded by hostile nation-states’ access to cheaper emerging technologies, such as cloud computing. These technologies lower the barrier to entry to pose a threat to such systems.

GAO’s latest work makes it clear that should systems that underpin the nation’s critical infrastructure fall prey to attack, the consequences will have dire ramifications.

“The security of these systems and data is vital to public confidence and national security, prosperity, and well-being,” the report states. “Many of these systems contain vast amounts of personally identifiable information, thus making it imperative to protect the confidentiality, integrity, and availability of this information and effectively respond to data breaches and security incidents, when they occur.”