Cooper D'Anton Uncategorized

GAO Cybersecurity Recommendations: Shouting into the Void

Close-up of female hand pressing enter key to start the system

Introduction

    Several federal agencies and the White House are failing to comply with most of the U.S. Government Accountability Office’s (“GAO”) 4,000 cybersecurity recommendations issued since 2010. Failure to implement GAO’s recommendations threatens U.S. national security, federal institutions’ mandates, and millions of Americans’ data security. Congress ought to facilitate and compel agencies’ compliance with GAO’s highest priority cybersecurity recommendations.

    Ignoring GAO Recommendations

    GAO is the “independent, non-partisan ‘congressional watchdog’ that oversees how the federal government operates and spends its money[.]” In its oversight capacity, GAO has continued to sound the alarm on cybersecurity threats to the federal government for well over a decade. GAO has issued multiple reports, including in 2020, 2021, and several in 2023 highlighting federal agencies’ failures to address data and cybersecurity vulnerabilities, offering often unheeded recommendations to improve those agencies’ cybersecurity postures. 

    A. Recommendations to Federal Agencies Broadly

    For instance, a 2020 GAO report stated that its review of 23 civilian agencies found that “none had fully implemented all of the seven foundational practices for supply chain risk management” that GAO identified and that “14 had not implemented any of the practices.” GAO warned again in a 2021 report that “federal agencies have not implemented many of [the GAO’s] recommendations for establishing a comprehensive cybersecurity strategy and performing effective oversight.”

    Likewise, in a series of four reports across January and February 2023, GAO identified hundreds of cybersecurity-related recommendations with which federal agencies have failed to comply. According to these reports, since 2010, federal agencies have failed to implement:

    However, some agencies have made progress. For instance, GAO found through a December 2023 report that as of October 2023, 33 agencies “have implemented 88% of [GAO’s] nearly 400 prior recommendations to improve [information technology (“IT”)] management and reduce duplicative efforts.” Likewise, in 2019 and 2022, GAO made eight recommendations to the VA to address key privacy and security practices. The Department agreed with and had implemented five of the eight recommendations as of April 2023. 

    B. Recommendations to Specific Federal Institutions

    In addition to shining a light on cybersecurity issues across all agencies, GAO has singled out specific federal actors, including the White House and State Department (“State”) for failure to implement GAO’s cybersecurity recommendations. 

    1. Recommendations to the White House

    In a June 2023 report, GAO highlighted the White House’s failure to fully address three of six desirable strategic characteristics in the White House’s National Cybersecurity Strategy, including those characteristics centered around goals, resources, and organizational roles. GAO previously laid out the full list of six desirable characteristics in a 2004 report

    1. Recommendations to State

    Likewise, GAO singled out the State Department’s cybersecurity risk management program in a 2023 report finding that State failed to implement an effective cybersecurity risk management strategy. GAO warned that “[u]ntil the department implements required risk management activities, it lacks the assurance that its security controls are operating as intended,” adding that “State is likely not fully aware of information security vulnerabilities and threats affecting future operations.” Notably, the report found that State is still running “[c]ertain installations of operating system software [that] reached end-of-life over 13 years ago[,]” likely Windows XP.

    The report also referenced multiple State Department Inspector General (“IG”) report findings highlighting State’s IT failures. For instance, State’s complex management reporting structure led to computer systems and data risk. State also consistently faced several challenges in maintaining up-to-date software and hardware inventories, risking unawareness that these systems required updates. GAO also cited State IG findings in a 2022 report in which GAO found that State had ineffective security programs in fiscal year 2020.

    Consequences of Ignoring GAO Recommendations

    GAO repeatedly warned in its reports about the consequences of failing to satisfy its recommendations. Federal agencies and critical infrastructure — like energy, transportation systems, communications, and financial services — depend on technology systems to operate and protect information. 

    Risks to these systems are increasing. Malicious actors, including foreign adversaries, are becoming more willing and capable of carrying out cyberattacks, potentially resulting in serious harm to human safety, national security, the environment, and the economy. 

    For example, in 2020, a Russian cyber espionage group, known as Cozy Bear, committed one of the highest profile cyber-attacks on the federal government in recent history by tampering with updates to IT products provided to federal agencies. The SolarWinds attack impacted nine agencies, including the Departments of Homeland Security, State, Commerce, and Treasury, potentially costing American businesses and government agencies upward of $100 billion to contain and fix the damage.

    Likewise, in 2023, a Russian ransomware gang, named Clop, known for demanding multimillion-dollar ransoms, perpetrated a global cyberattack exploiting a vulnerability in MOVEit, the widely used, data transfer software. The attack impacted multiple federal agencies, including the Department of Energy.

    According to a 2023 IBM report, a data breach could cost government agencies on average $2.07 million per incident. The same report said cyberattacks cost the U.S. government $13.7 billion in 2018.

    As GAO asserted, the federal government must “move with greater urgency to improve the nation’s cybersecurity,” which is vital to safeguarding privacy and protecting national security, prosperity, and well-being. Federal agencies will be “more limited in their ability to protect private and sensitive data entrusted to them” until they implement GAO’s cybersecurity recommendations.

    What Can Be Done?

    Aside from the hundreds of unilateral changes that federal agencies ought to, but are failing to make to address this imminently disastrous risk area, Congress ought to step in to both facilitate and compel agencies’ compliance with many of GAO’s recommendations.

    A. Facilitating Compliance with GAO’s Recommendations

    Officials at 24 agencies told GAO that lack of resources was among the impediments to complying with the Federal Information Security Modernization Act of 2014, requiring agencies to develop, document, and implement agency-wide information security programs. Congress ought to commit additional appropriations to federal agencies to implement GAO’s cybersecurity recommendations since funding is clearly a significant barrier to implementation.

    B. Compelling Compliance with GAO’s Recommendations

    In addition to providing additional funding, Congress ought to impose legislative directives on agencies to comply with the highest priority GAO cybersecurity recommendations. Marisol Cruz Cain, Director of GAO’s Information Technology and Cybersecurity Team, noted, “There are no consequences for [an agency’s] failure to implement a GAO recommendation[,]” making GAO’s cybersecurity recommendations a low priority for agencies under pressure by obligatory directives. Therefore, agencies are unlikely to comply with GAO recommendations unless compelled to do so. As Comptroller General Gene Dodaro, head of GAO, explained, Congress could pass legislation requiring an agency to take certain actions to implement GAO cybersecurity recommendations. 

    Indeed, Congress ought to facilitate through appropriations and legislative directive federal agencies’ compliance with GAO’s highest priority cybersecurity recommendations to address risks to U.S. national security, critical infrastructure, the economy, and privacy.