GAO slams lack of cyber progress as Congress gets involved

A new High Risk series report from the Government Accountability Office took the federal government to task over its lack of action on cybersecurity issues. The report said that, since 2010, agencies still have not enacted a third of the 3,000 actions GAO has recommended to improve the government’s cyber posture. The report also laid out four major cybersecurity challenges, and 10 actions agencies can take to address them.

The four major challenges identified by GAO in the Sept. 6 report are:

  • establishing a comprehensive cybersecurity strategy and performing effective oversight,
  • securing federal systems and information,
  • protecting cyber critical infrastructure, and
  • protecting privacy and sensitive data.

The report then goes into detail about how to address these issues, including actions such as “develop and execute a more comprehensive federal strategy for national cybersecurity and global cyberspace” and “mitigate global supply chain risks.”

It’s not clear whether this will be the impetus federal agencies need to make this a priority, but for once, Congress may actually be ahead of the game.

Advertisement

Earlier last week, the House passed four bills that address some of the very same issues as the GAO report.

Cyber Deterrence and Response Act

Lawmakers like Sens. Mark Warner (D-Va.), Tim Kaine (D-Va.), Angus King (I-Maine), Mike Rounds (R-S.D.), Rep. Dan Donovan (R-N.Y.) and the recently deceased John McCain have long been agitating for a cyber doctrine, a line in the sand regarding cyberattacks.

The Cyber Deterrence and Response Act of 2018 doesn’t quite rise to that standard, nor is it a “comprehensive cybersecurity strategy.” But it’s a step in that direction.

It only concerns itself with “state-sponsored cyber activities,” but in doing so, it would lay down a baseline criteria for what exactly should be considered a cyber threat. This includes any number of actions, ranging from disrupting a computer or network to “causing a significant misappropriation of funds” to interfering with critical infrastructure, that could result or have resulted in “a significant threat to the national security, foreign policy, or economic health or financial stability” of the country.

The bill also outlines specific sanctions that would be triggered by such a threat, and would require the President to impose at least one of them.

Securing the Homeland Security Supply Chain Act

Mitigating global supply chain risks is one of the 10 actions GAO suggested, this one specifically geared toward establishing a cybersecurity strategy.

“The reliance on complex, global IT supply chains introduces multiple risks to federal agencies, including insertion of counterfeits, tampering, or installation of malicious software or hardware,” the report stated.

Considering the Homeland Security Department holds primary responsibility for federal cybersecurity, it’s probably a good place to start. The Securing the Homeland Security Supply Chain Act would do just that.

The bill would give DHS the authority to limit information disclosed to certain vendors, or exclude them from the procurement process entirely if they’re determined to pose a risk to the DHS supply chain. The chief acquisition officer and chief information officer would help the DHS secretary in determining which vendors pose such a risk.

DHS would be required to notify the vendor, in as much as national security and law enforcement considerations allow, and give them 30 days to argue their case. DHS would also be required to notify Congress, the Office of Management and Budget, and other federal agencies.

Advancing Cybersecurity Diagnostics and Mitigation Act

This bill would codify DHS’ Continuous Diagnostics and Mitigation program, which began in 2012. For the most part, it wouldn’t change the program, but it would add certain requirements.

For one thing, the bill would require DHS to “regularly deploy new technologies and modify existing technologies” related to the CDM program.

It would also require DHS to create a “comprehensive” CDM strategy, including coordinating the installation and maintenance of tools, capabilities and services, identifying obstacles, providing recommendations and guidelines for maintenance, data collection and analysis, and future efforts.

Finally, it would require DHS to report to Congress on the cybersecurity risk posture within 90 days after formulating this strategy, based on the data collected by the program.

DHS Chief Data Officer Authorization Act

This bill would require the DHS CIO to create a Chief Data Officer, responsible for implementing best practices in data management and coordinating the release of public data.

While this may not directly affect cybersecurity, the GAO report touched on the need to appropriately safeguard data, particularly personally identifiable information. The CDO would work with the DHS Chief Privacy Officer to accomplish this.