New GAO report focuses on federal government lapses in protecting critical infrastructure
A new report from the U.S. Government Accountability Office (GAO) identified the need for the federal government to develop and execute a comprehensive national cyber strategy and strengthen its role in protecting the cybersecurity of critical infrastructure. The agency also said that ensuring the nation’s cybersecurity is on its ‘High-Risk List,’ and GAO has urged federal agencies to act on it.
“If the federal government doesn’t act with greater urgency, the security of our nation’s critical infrastructure will be in jeopardy,” GAO said in its report. Since 2010, GAO has made about 3,700 recommendations to agencies to remedy cybersecurity shortcomings. However, as of last month, the federal government had not yet implemented about 900 of those recommendations, it added.
To address critical infrastructure cybersecurity issues, the congressional watchdog suggested that the federal government develop and execute a comprehensive national cyber strategy. It also needs to strengthen the federal role in protecting critical infrastructure cybersecurity, GAO said.
In September 2020, GAO reported that the White House’s 2018 National Cyber Strategy and related implementation plan addressed some, but not all, of the desirable characteristics of national strategies, such as goals and resources. GAO also reported that it was unclear which official within the executive branch maintained responsibility for coordinating the execution of the National Cyber Strategy.
Accordingly, GAO recommended that the National Security Council update the cybersecurity strategy and it suggested that Congress should consider legislation to designate a position in the White House to lead such an effort, according to the report.
In January 2021, a federal statute established the Office of the National Cyber Director within the Executive Office of the President. Subsequently, in June, the Senate confirmed a director to lead this new office. In October, the National Cyber Director issued a strategic intent statement outlining a vision for the Director’s planned high-level lines of efforts. Establishing a National Cyber Director position is an essential step toward positioning the federal government to better direct activities to address the nation’s cyber threats, GAO said.
The report said that GAO’s recommendation to develop and execute a comprehensive national cyber strategy is not yet fully implemented. As a result, a pressing need remains to provide a clear roadmap for addressing the nation’s cyber challenges, including its critical infrastructure.
According to legislation enacted in 2018, the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security (DHS) was charged with responsibility for, among other things, enhancing the security of the nation’s critical infrastructure in the face of both physical and cyber threats.
In March 2021, GAO reported that DHS needed to complete key activities related to the transformation of CISA, including finalizing the agency’s mission-essential functions and completing workforce planning activities. GAO also reported that DHS needed to address challenges identified by selected critical infrastructure stakeholders, including having consistent stakeholder involvement in the development of related guidance. Accordingly, GAO made 11 recommendations to the DHS. As of November 2021, DHS had not yet implemented them, though it has stated its intent to do so.
Regarding specific critical infrastructure sectors, since 2010, GAO has made about 80 recommendations to enhance the cybersecurity of these sectors and subsectors, including within the aviation and pipeline industries, the GAO report said.
In October 2020, GAO reported that, although the Federal Aviation Administration had established a process for certification and oversight of U.S. commercial airplanes, it had not prioritized risk-based cybersecurity oversight or included periodic testing as part of its monitoring process, among other things., according to the GAO report.
In July 2021, GAO testified that the Transportation Security Administration had not fully addressed pipeline cybersecurity-related weaknesses that GAO had previously identified, such as aged protocols for responding to pipeline security incidents. The GAO reported in June 2019 that TSA had not revised its 2010 Pipeline Security and Incident Recovery Protocol Plan to reflect changes in pipeline cybersecurity threats, including those related to cybersecurity, reflecting aged protocols for responding to pipeline cybersecurity incidents.
Last week, GAO’s information technology and cybersecurity director Nick Marinos submitted this report to the House Committee on Transportation and Infrastructure. GAO was asked to testify on the federal government’s efforts to address critical infrastructure cybersecurity.
GAO said that “cybersecurity of critical infrastructure sectors has been a long-standing challenge for the federal government, underscored by the need for federal agencies to improve their own cybersecurity posture and enhance the cybersecurity support provided to the nation’s critical infrastructure.”
“To develop the statement, we reviewed prior reports and testimonies that described cyber-related challenges faced by the nation and the extent to which federal entities have taken actions to address them,” Marinos wrote in his statement. “We conducted the work on which this statement is based in accordance with all sections of GAO’s Quality Assurance Framework that are relevant to our objectives. The framework requires that we plan and perform the engagement to obtain sufficient and appropriate evidence to meet our stated objectives and to discuss any limitations in our work,” he added.
Until GAO’s recommendations to address issues such as these are fully implemented, federal agencies will not be effectively positioned to ensure critical infrastructure sectors are adequately protected from potentially harmful cybersecurity threats, the GAO report concluded.
Related
