Cybersecurity

Federal agencies only followed 40% of GAO cybersecurity recommendations: report

GAO warns that ‘federal agencies will be more limited in their ability to protect private and sensitive data.’
article cover

Lance Nelson/Getty Images

· 3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

They say that 60% of the time, it works every time—unless you’re the federal government, then it only works 40% of the time.

A US Government Accountability Office (GAO) report published January 19 that found glaring deficiencies in how the federal government is approaching cybersecurity. In the six-page report, the GAO detailed a plethora of incomplete security measures, including recommendations the office had made that have yet to even be attempted.

“Until these are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them,” the report said.

Bad pattern. Federal cybersecurity efforts have been found wanting over the past few years. As IT Brew reported last month, commercial spyware is increasingly being used by adversaries to target US officials overseas. And the threats aren’t limited to the international sphere; US federal courts were hacked in December 2020.

In the case of the courts hack, the Department of Justice was criticized after not sharing details about what happened until pressed by lawmakers. Sen. Ron Wyden wrote a letter to the courts to “express serious concerns that the federal judiciary has hidden from the American public and many Members of Congress the serious national security consequences of the courts’ failure to protect sensitive data to which they have been entrusted.”

Whistling past the hackyard. Of 335 GAO cybersecurity recommendations since 2010, federal agencies have yet to implement 201 of them. GAO found that the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS), for example, only “partially addressed most of the key practices associated with effective reforms through their efforts to implement several projects, such as training employees to fill vacant cybersecurity positions and streamlining hiring processes.”

“However, OMB and DHS had not established a dedicated implementation team or a government-wide implementation plan, among other practices,” the report continued. “Without these practices in place, OMB and DHS will likely be unable to make significant progress towards solving the cybersecurity workforce shortage.”

With threats to the supply chain, risks associated with IoT technologies, and the rise of AI, the need for federal cybersecurity efforts is higher than ever, the GAO report said. AI in particular is going to be a concern for federal agencies, with the technology’s growth coinciding with more sophisticated attacks.

“The expanding application of AI cyber capabilities would make cyberattacks more precise and tailored, further accelerate and automate cyber warfare, enable stealthier and more persistent cyber weapons, and make cyber campaigns more effective on a larger scale,” the report warned. “The federal government will need to take appropriate action to address these threats.”—EH

Do you work in IT or have information about your IT department you want to share? Email [email protected].

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.