Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
Reports
Supply Chain Security
Vulnerabilities

GAO reports difficulties in creating unified national cybersecurity strategy, performing oversight

January 20, 2023
GAO reports difficulties in creating unified national cybersecurity strategy, performing oversight

The U.S. Government Accountability Office (GAO) proposed in its latest report that the federal government must develop and execute a comprehensive federal strategy for national cybersecurity and global cyberspace. Additionally, federal agencies must mitigate global supply chain risks, develop a government-wide reform plan that addresses the cybersecurity workforce shortage, and ensure the security of emerging technologies. 

Identifying this report as the first in a series of four reports that lay out the main cybersecurity areas that the federal government should urgently address, beginning with the need for a comprehensive strategy and effective oversight, GAO said that it has “made about 335 recommendations in public reports since 2010 with respect to this area. About 190 of these recommendations were not implemented as of December 2022. Until these are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them.”

For a more comprehensive federal cyber strategy, GAO said that the federal government needs to address missing elements in the National Cyber Strategy and Implementation Plan. 

The White House’s September 2018 National Cyber Strategy and the National Security Council (NSC) accompanying June 2019 Implementation Plan detail the executive branch’s approach to managing the nation’s cybersecurity. In September 2020, GAO pointed out that the strategy and implementation plan addressed some, but not all, of the desirable characteristics of national strategies. 

“In particular, the National Cyber Strategy, when combined with the Implementation Plan, addressed three of the six desirable characteristics of national strategies but did not include key elements for three other characteristics,” the GAO reported. “We stressed that moving forward, the incoming administration needed to either update the existing strategy and plan or develop a new comprehensive strategy that addresses those characteristics.”

The Congress and Administration took action to establish and fill a critical cybersecurity leadership position. Specifically, in January 2021, the National Defense Authorization Act for Fiscal Year 2021 established the Office of the National Cyber Director within the Executive Office of the President. In June 2021, the Senate confirmed the first National Cyber Director to head the office and serve as the principal advisor to the President on cybersecurity policy and strategy. 

The Director subsequently issued a strategic statement for the office that summarized its vision, challenge, path, and urgency to improve the nation’s cybersecurity. However, until the federal government fully develops and implements a comprehensive national strategy, it will not have a clear roadmap for overcoming the cyber challenges that face the U.S.

GAO suggests that the National Security Council work with relevant federal entities to update cybersecurity strategy documents to include goals, performance measures, and resource information, among other things. “As of August 2022, according to the Office of the National Cyber Director, the development of a national cybersecurity strategy by the administration is underway. The office noted that it is obtaining feedback on the strategy from many other federal entities, including the National Security Council, on this effort,” it added.

The current GAO report said federal agencies rely extensively on information and communications technology (ICT) products and services to carry out their operations. “However, agencies face numerous ICT supply chain risks, including threats posed by counterfeiters who may exploit vulnerabilities in the supply chain. To assist agencies with effectively managing their ICT supply chain risks, the National Institute of Standards and Technology developed guidance that includes risk-based practices,” it added.

In December 2020, “our review of 23 civilian agencies found that none had fully implemented all of the seven foundational practices for supply chain risk management and that 14 had not implemented any of the practices,” GAO reported.

For example, only three out of the 23 agencies had fully developed organizational procedures to detect counterfeit and compromised ICT products before deployment. In addition, none of the 23 agencies had established a process to conduct agency-wide assessments of ICT supply chain risks, according to the GAO report. Implementing foundational practices for ICT supply chain risk management is essential to agencies addressing the risks of malicious actors disrupting mission operations, stealing intellectual property, or harming individuals, it added. 

GAO recommends that the 23 agencies fully implement foundational practices in their organization-wide approaches to ICT supply chain risk management. “As of December 2022, 130 of our 145 recommendations were not yet implemented; none of the 23 agencies had fully implemented all recommendations addressed to them,” it added.

The GAO report called upon the Office of Management and Budget (OMB) to develop a government-wide plan to address the cybersecurity workforce shortage. The agency found that OMB and the Department of Homeland Security (DHS) partially addressed most of the key practices associated with effective reforms through their efforts to implement several projects. However, OMB and DHS had not established a dedicated implementation team or a government-wide implementation plan, among other practices. Without these practices in place, OMB and DHS will likely be unable to make significant progress toward solving the cybersecurity workforce shortage. 

It recommended focusing on developing a government-wide workforce plan and related supporting practices such as establishing a leadership team and crafting an implementation plan. Government-wide leadership responsibility for cyber workforce issues transitioned in 2022 from OMB and DHS to the Office of the National Cyber Director. 

“Since the transition, the Director has committed to developing a national strategy that addresses cyber training and education, digital awareness, and the cyber workforce,” according to the GAO report. “The commitment is consistent with the current Administration’s management agenda, which states that the Administration must identify and address critical skills gaps across the federal IT and cybersecurity workforce. We will continue monitoring efforts to develop the strategy.”

The U.S. watchdog further called upon federal agencies to take action to better secure Internet-connected devices. Critical infrastructure sectors rely on electronic systems, including Internet of Things (IoT) and operational technology (OT) devices and systems. “In December 2022, we reported that the federal lead agencies of the reviewed critical infrastructure sectors—the Departments of Energy, Health and Human Services, Homeland Security, and Transportation—had cybersecurity initiatives underway intended to help protect three critical infrastructure sectors with extensive use of IoT or OT devices and systems,” it added. 

Last September, GAO reported that quantum technologies build on the study of the smallest particles of energy and matter to collect, generate, and process information in ways not achievable with existing technologies. Quantum computers could dramatically accelerate computation for some applications, such as machine learning and information decryption. 

Additionally, quantum information technologies could increase capabilities beyond what is possible with classical technologies, such as having high-value applications in security and cryptography. However, quantum computing has the potential to create major cybersecurity risks. For example, a full-scale quantum computer has the potential to break standard encryption technologies, creating a major information security risk. As a result, the federal government’s cybersecurity infrastructure will need to evolve to address this threat.

Recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released its 2022 Year in Review highlighting the extensive work of CISA and its partners over the past year to protect the nation’s critical infrastructure. The Year in Review maps around the four goals outlined in the agency’s Strategic Plan, released last September, which focuses on cyber defence, risk reduction and resilience, operational collaboration, and agency unification.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation