The U.S. Government Accountability Office (GAO) delivered an update that the federal government needs to move with greater urgency to improve the nation’s cybersecurity, as the country faces grave and rising cyber security threats.
In a report released this week, the GAO said that the government needs to take 10 critical actions to address four major challenges that the agency identified in 2018, including securing federal systems and protecting critical infrastructure, privacy and sensitive data.
In performing its work, GAO reviewed the cybersecurity-related products it had issued since September 2018, and assessed actions taken on prior GAO recommendations, and determined which recommendations had not yet been implemented, the GAO report pointed out. Further, GAO identified its relevant ongoing cybersecurity work. The GAO finally reviewed cybersecurity findings from agency Inspector General reports, and analyzed the recommendations of the U.S. Cyberspace Solarium Commission.
Recent events, such as the SolarWinds supply chain cyber incident and the Oldsmar water plant hack, highlight the significant cyber security threats facing the nation’s critical infrastructure, and the range of consequences that these cyber attacks pose.
Federal agencies have made progress in improving the security of federal and critical infrastructure IT systems, but more work remains to fully address the four cybersecurity challenges facing the nation.
For example, since 2010, agencies have implemented over 2,700 of about 3,300 recommendations that the U.S. GAO has made in connection with the four cybersecurity challenges. Nevertheless, many agencies and critical infrastructure entities continue to face challenges in safeguarding their information systems and information, in part because many of these recommendations had not been implemented.
In particular, over 750 of the agency’s recommendations had not been implemented, as of December 2020. The GAO also identified 103 priority recommendations, and at the end of last year, 67 of these had not been implemented.
“Until our recommendations are implemented and actions are taken to address the four challenges we identified, the federal government’s IT systems, the nation’s critical infrastructure, and the personal information of U.S. citizens will be increasingly susceptible to the multitude of cyber-related threats that exist,” the agency said in its report.
The tactics and techniques chosen by the cyber adversaries can facilitate cybersecurity incidents and cyberattacks with a range of consequences, such as disruption of critical operations, inappropriate access to and disclosure, modification, or destruction of sensitive information, and threaten national security, economic well-being, and public health and safety.
Hackers seek to gain initial access to a target network by, for example, using targeted spear phishing emails or exploiting weaknesses on public-facing web servers. After gaining an initial foothold, attackers will often use a variety of tactics and techniques to achieve their objectives, such as trying to run malicious code, attempting to steal account names and passwords and gain higher-level permissions, and moving throughout a network to find and gain access to their target.
According to the Federal Bureau of Investigation (FBI), some of the most common and damaging types of cyber security threats, include those involving business email compromise, data breaches, denial-of-service, malware and ransomware.
The Cyberspace Solarium Commission has also made recommendations related to cybersecurity workforce management challenges, including that Congress and the executive branch should pass legislation and implement policies designed to better recruit, develop, and retain cyber talent while acting to deepen and diversify the pool of candidates for cyber work in the federal government. The U.S. government should take a number of actions to improve cyber-oriented education, such as further exploring ways to expand federal cyber training programs.
Until GAO’s recommendations are implemented, federal agencies may be limited in their ability to provide effective oversight of critical government-wide initiatives, mitigate global supply chain risks, address challenges with cybersecurity workforce management, and better ensure the security of emerging technologies.
The emergence of new technologies can potentially introduce security vulnerabilities for those technologies, which were previously unknown. As the GAO and the Cyberspace Solarium Commission have previously reported, additional processes and controls will need to be developed to potentially address these new vulnerabilities.
While some progress has been made to address the security and privacy issues associated with these technologies, such as the Internet of Things (IoT), 5G networks, artificial intelligence (AI), and quantum computing, there is still much work to be done, the report adds.
The National Security Commission on Artificial Intelligence (NSCAI) issued its final report in which the commission described additional cybersecurity risks associated with AI and recommendations to address them. Specifically, the commission stated that AI will enable malware to mutate into thousands of different forms, find vulnerabilities, and attack selectively.
The commission added that the expanding application of AI cyber capabilities will make cyberattacks more precise and tailored; further accelerate and automate cyber warfare; enable stealthier and more persistent cyber weapons; and make cyber campaigns more effective on a larger scale.