Federal cybersecurity has “regressed” since 2019 due to factors including the lack of centralized cyber leadership at the White House, the Government Accountability Office (GAO) said in a report released Tuesday.
The watchdog agency included boosting federal cybersecurity as a key issue in its “high risk” report to Congress, which outlines a wide array of areas where the federal government is both succeeding and falling behind.
“Federal agencies and other entities need to take urgent actions to implement a comprehensive cybersecurity strategy, perform effective oversight, secure federal systems, and protect cyber critical infrastructure, privacy, and sensitive data,” GAO wrote.
It said the nation’s cybersecurity need “significant attention,” pointing in particular to “missing important characteristics” in the Trump administration’s National Cyber Strategy, released in 2018, and the lack of an “officially appointed central leader” on cybersecurity at the White House.
The 2021 National Defense Authorization Act established a national cyber director position within the executive branch, but President Biden has not yet nominated an individual to fill the role.
Cyber workforce is also a concern, with GAO finding that none of the 24 federal agencies reviewed had ensured that employees had the cybersecurity skills necessary, particularly in the areas of electric grid and aviation cybersecurity.
“Federal agencies and our nation’s critical infrastructures—such as energy, transportation systems, communications, and financial services—are dependent on IT systems and electronic data to carry out operations and to process, maintain, and report essential information,” the watchdog agency wrote. “The security of these systems and data is vital to public confidence and national security, prosperity, and well-being.”
Other areas of high risk identified by GAO included the U.S. census process, the U.S. Postal Service’s lack of financial viability in 2020, and the monitoring criteria for the Environmental Protection Agency’s process for identifying and removing toxic chemicals.
The report was released as the federal government continues to grapple with the extent of what has become known as the SolarWinds hack.
The incident, ongoing for almost a year before discovery in December, involved likely Russian hackers infiltrating software from IT group SolarWinds and using this to compromise its customers. A White House official said last month that at least nine federal agencies and 100 private sector companies were breached.
The overall report was the focus of a House Oversight and Reform Committee hearing on Tuesday, at which U.S. Comptroller General Gene Dodaro testified. The Senate Homeland Security and Governmental Affairs Committee will hold a hearing on the same topic Tuesday afternoon.
Oversight Chairwoman Carolyn Maloney (D-N.Y.) highlighted the need to confront the “silent battle” within critical networks against malicious hackers.
“The SolarWinds breach that came to light last December, as well as escalating targeted cyberattacks that have drained millions of dollars from struggling hospitals, are just two examples of the threats we know about,” Maloney said during her opening remarks.
Dodaro outlined the need to address the nation’s cybersecurity vulnerabilities, noting that 750 of the 3,300 recommendations GAO has made on federal cybersecurity since 2010 remain open.
He said that had these recommendations been addressed, the SolarWinds hack would likely have been discovered earlier.
“We would have been better postured to detect and defend ourselves, and take quicker action,” Dodaro testified.
The comptroller general also highlighted the need for the Biden administration to fill the national cyber director role, and supported the idea of increased information sharing between the federal government and private sector on cybersecurity incidents.
“So far, we’re not at that point of having enough fluidity in the sharing of this information to have an integrated, coordinated effort to protect our nation,” Dodaro said. “I’m hopeful that the cybersecurity coordinator, once that’s filled, can help build trust and build mechanisms to more effectively share that information.”