GAO Report Highlights Need for Centralized Cyber LeadershipWatchdog Says Nation's Cybersecurity Readiness Regressed Over Last 2 Years
A lack of centralized leadership, especially at the White House level, is hindering the federal government's ability to address numerous cybersecurity issues, such as the SolarWinds supply chain attack that affected federal agencies and others, according to a new report from the Government Accountability Office.
Since 2010, the GAO has made over 3,300 recommendations to improve cybersecurity standards and practices across the federal government, and as of December 2020, about 750 - including 100 that are considered priority recommendations - have not been implemented, according to the report published Tuesday.
The GAO says the 2018 National Cyber Strategy and the National Security Council's 2019 Implementation Plan, issued during the Trump administration, lacked "important characteristics of a national strategy," which made these plans less effective in addressing pressing cybersecurity issues. The nation's cybersecurity stance has regressed over the last two years since the GAO's last report on the issue, the watchdog agency notes.
The report also says a lack of centralized leadership at the White House hinders the government's ability to address cybersecurity. And while the 2021 National Defense Authorization Act included a provision to reestablish the position of national cyber director at the White House, the Biden administration has not yet nominated anyone for that position (see: Defense Funding Measure Includes 77 Cybersecurity Provisions).
"Federal agencies and other entities need to take urgent actions to implement a comprehensive cybersecurity strategy, perform effective oversight, secure federal systems and protect cyber critical infrastructure, privacy and sensitive data," the GAO report notes.
Many federal agencies have not hired employees who have deep knowledge of IT and cybersecurity issues, according to the GAO.
The GAO found that in 2019, the U.S. Office of Management and Budget and the Department of Homeland Security had created programs and strategies to address hiring issues, but many agencies, including the 24 departments that operate under the Chief Financial Officers Act, had not yet implemented these best practices.
For example, the report notes: "We reported in October 2020 that the Federal Aviation Administration does not currently have a staff training program specific to avionics cybersecurity, and none of the agency’s certification staff are required to take cybersecurity training tailored to their oversight roles." Until issues such as these are resolved, federal agencies will continue to face numerous cyber risks, the GAO concludes.
Lack of Leadership
On Tuesday, Gene Dodaro, director of the GAO, testified before the Senate Homeland Security and Governmental Affairs Committee about the report's conclusions and recommendations.
During the hearing, Republican Sen. Rob Porter, the ranking member of the committee, asked Dodaro about establishing the national cyber director position in the White House, and what role the U.S. Cybersecurity and Infrastructure Security Agency needs to play.
Dodaro testified that the lack of centralized leadership is a major reason why the report flagged cybersecurity as a high-risk issue that Congress and the administration need to address.
"CISA can play a very important role, but they don't decide who appoints the chief information officers in the agencies," Dodaro said. "They don't pick the chief information security officers. That's the agencies who have the responsibilities so they need to be involved. OMB needs to be involved, and they haven’t been as involved as they have been in the past and need to be in the future. They can help both in making sure the resource investments are there and properly set out the right policies and guidance to make sure that they get vetted during the budget appropriation process."
Tom Kellermann, who is head of cybersecurity strategy for VMware and is a member of the Cyber Investigations Advisory Board for the U.S. Secret Service, suggests that the White House elevate Deputy National Security Adviser Anne Neuberger to the new cyber director position. The Biden administration recently tapped Neuberger to coordinate the government's investigation into the SolarWinds supply chain attack (see: White House Preparing 'Executive Action' After SolarWinds Attack ).
Kellermann also suggests the government needs to enhance CISA's ability to conduct threat hunting, and he calls on Congress to strength anti-money laundering laws to deter cybercrime.
"These must be modernized to seize the virtual currencies and digital payments which are used in the cybercrime conspiracies," Kellermann says. "These seized funds should be explicitly allocated to cybersecurity investment across U.S. critical infrastructures."
SolarWinds Attack Detection
Dodaro also testified Tuesday before the House Oversight and Reform Committee, where he said the SolarWinds attack might have been detected sooner if federal agencies and corporations had done a better job of sharing threat intelligence.
"Eighty percent of the computing assets in this country are in private sector hands. We can’t effectively combat this issue without sharing between the private sector and the government sector," Dodaro said.