Summary Bullets:
• In a report to Congress, the Government Accountability Office (GAO) said the cyber threat environment is throwing challenges at public and private sector entities alike that put national security, the economy, the environment, and human safety at risk. As evidence, the GAO cited the fact that federal agencies reported 30,659 cybersecurity incidents to the Department of Homeland Security’s US Computer Emergency Readiness Team in 2022.
• The report urged government agencies to work in tandem with the private sector to ward off threats.
A GAO report to Congress flagged the serious, and in many cases unaddressed, risks that could jeopardize national security. Since 2010, the agency has recommended to other agencies 1,610 steps to close security gaps. The current cyber risk report noted that nearly 600 of these haven’t been acted upon, putting the security of federal systems and critical infrastructure at risk. The GAO blamed a mix of competing budget priorities, communications failures, and the inability of some agencies to accurately measure outcomes.
Through the Office of the National Cyber Director, the White House has offered guidance to both agencies and non-governmental entities on how to build an effective cybersecurity strategy and how to execute on that plan. For example, in March the White House sent a letter to all 50 state governments flagging specific threats to waste and drinking water infrastructure from two nation-state-affiliated threat actors. The letter included links to Environmental Protection Agency and Cybersecurity and Infrastructure Agency (CISA) resources specifically targeted toward water systems. These assets include training, consultative help, tools, and technical support, starting with the most basic security practices. The agencies outline foundational training and controls including training staff to recognize and dodge phishing schemes, the use of strong passwords, multi-factor authentication, and ensuring software is up to date.
The GAO said the federal government needs to do more to steer agencies in the right direction with respect to critical areas like securing global supply chains, maintaining an expert cybersecurity staff, and being aware of potential risks related to evolving technologies such as artificial intelligence (AI). In a report in 2023, the GAO found the Department of Defense had addressed some elements to reduce supply chain risks but had not implemented some suggested controls. In a government-wide report on AI, the GAO noted 20 federal agencies have a 1200—current and planned AI use cases The GAO outlined 35 guidelines to protect these but so far none have been applied.
While the GAO noted that advances in technologies like AI show promise across a range of industries, they also open the door to new risks. The GAO urged agencies to be careful to assess any newly introduced technology and make sure they have the appropriate controls in place to minimize risk. Implementing all the GAO’s recommendations is essential to protect all federal systems, data, and staff.
IT Connection 