Title: Federal Response to Cyber-based Attacks

Description: Cyber-based attacks on federal systems have become more
damaging and disruptive. Federal agencies are required to secure their
IT systems from these attacks. GAO's Jennifer Franks joins us to look at
our new report on the federal government's ability to respond to attacks
and the challenges these efforts face. 

Related GAO Work: GAO-24-105658, Cybersecurity: Federal Agencies Made
Progress, but Need to Fully Implement Incident Response Requirements

Released: December 2023

[MUSIC]

[Jennifer Franks:] With proper safeguards in place, our computer systems
would be a lot stronger and not be as vulnerable to individuals and
groups.

[Holly Hobbs:] Hi and welcome to GAO's Watchdog Report--your source for
fact-based, nonpartisan news and information from the U.S. Government
Accountability Office. I'm your host, Holly Hobbs. Cyber-based attacks
on federal IT systems have become more damaging and disruptive. Federal
agencies are required to secure their IT systems from these attacks. And
in a new report, we look at the federal government's ability to respond
to attacks and the challenges these efforts face. Joining us to talk
about this report is GAO's Jennifer Franks, an expert on federal IT
security. Thanks for joining us.

[Jennifer Franks:] Thanks for having me, Holly.

[Holly Hobbs:] So, Jennifer, this issue--cyberattacks--there are a lot of
federal activity going on to combat it, and that's being led by the FBI
and the Cybersecurity & Infrastructure Security Agency--or CISA. And
that's a lot.  But maybe you can start us off with an example that
illustrates how cyberattacks have become more damaging and disruptive,
and these agencies' role?

[Jennifer Franks:] So one of the more recent examples is MOVEit. And
MOVEit is a managed-file transfer software solution. And it has been
used by multiple organizations, but this included federal agencies. And
in June of this year, FBI and CISA issued a joint cybersecurity advisory
that alerted us that a malicious actor had begun to exploit a
vulnerability found in this particular software. And to date, this has
actually resulted in the theft of sensitive data of well over 70 million
people. And what MOVEit really highlights and why it's so important, is
that the federal government really just needs to be more prepared to
better respond, manage, mitigate and even learn from all of these
cybersecurity vulnerabilities and incidents. And without proper
safeguards in place, our complex computer systems are increasingly more
vulnerable to all of these individuals and groups with malicious intent
to cause harm to our various computing environments.

[Holly Hobbs:] So, who or what is trying to make these attacks? What's
their motivation?

[Jennifer Franks:] So it's not just one set of who and what. Threats can
come from a variety of sources. And they vary in terms and types of
capabilities. And the actors and their motives. And motives is actually
something that we consider to be very important as we watch and be able
to effectively respond to all of these cyberattacks. So I talked about
MOVEit. And what we've now found, that was a Russian ransomware group
that was behind that particular cyberattack. But that's just one group
out of millions. And each group has their own goals. They have their own
tactics, they have their own motives. And to be honest, motivation can
range from a group or individual wanting to impress someone about their
hacking skills, but then they can be far more serious, like state
sponsored attacks. Another high-profile event that really is still
ringing very loudly across the federal government is SolarWinds. And
beginning in January 2019, what we now know to be the Russian Foreign
Intelligence Service breached the computing networks at the company
SolarWinds. And this led to the threat actor infecting several agencies
information systems. But what was different about this event is--we
understood their motive to be espionage on the federal government, which
just means they were spying on us.

[Holly Hobbs:] So given all these threats, how prepared is the federal
government in preventing and responding to attack like this?

[Jennifer Franks:] So GAO has been talking about cybersecurity or
information security since 1997. So for the last 26 years, we have been
highlighting high risk areas that focused on cybersecurity or
information security, and we frequently report it on federal agencies'
cybersecurity incident response programs. And similar to a GAO title,
agencies have made progress, but the work remains. They've taken some of
the necessary steps to even standardize their plans and even demonstrate
improvement in their capabilities for detecting an incident, creating
analyses and even handling and managing the incident. But what we do
find is that, again, once agencies are able to fully implement these
requirements, they honestly would be better able to detect and
investigate all of the cyber events that impacts our organizations.

[Holly Hobbs:] So there are several laws and requirements that federal
agencies be prepared against cyberattacks. What have agencies told us
about the challenges that hinder their efforts?

[Jennifer Franks:] There are three overarching challenges that we
highlight in this report. So, the workforce issues, the lack of
staff--over half of the CFO agencies that we reviewed had a shortage in
personnel to just carry out some of these responsibilities. The next
area we focused on with challenges was technical requirements in meeting
some of the federal criteria, such as event logging. And event logging
is important because it helps us to stay updated on system errors or
even detect unauthorized activities across our networks. And OMB issued
a memo in 2021, that really specify some of the requirements that were
going to be needed to capture some of these logs. But in order to do so,
agencies would need to increase their storage capacity or their storage
capabilities. But this comes with a hefty price tag, and not all
agencies have the additional funding. And the last challenge area we
really highlight in this review is cyber threat information sharing. And
the government really has strengthened its information sharing since
that SolarWinds attack. But many agencies really do still struggle with
the large volume of cyber-threat intelligence information and the
analysis of such a volume of data.

{MUSIC}

[Holly Hobbs:] So Jennifer just told us that cyber threats against the
federal government are growing. And that while agencies have taken steps
to ward against these attacks, their efforts face some key challenges.
So, Jennifer, what more do we think the federal government should be
doing to protect its systems from cyberattacks?

[Jennifer Franks:] The federal government really needs to address the
cybersecurity workforce challenges, and that's going to just help us to
be better prepared with the staff to respond to all of these events. We
then need to improve the implementation of government-wide cybersecurity
initiatives that lay out all the federal laws and policies that we need
to adhere to. And then we need to address weaknesses in our federal
agency information security programs. And this is also laid out in
federal guidance and laws. Until we fully implement all of these
requirements, there really is just going to be an increased risk that we
will not have all of the necessary complete information from the logs
and other events to better detect and investigate, and respond to the
cyber threats that impact our various organizations. 

[Holly Hobbs:] And last question, what's the bottom line of this report?

[Jennifer Franks:] So the bottom line really is--without fully
implementing federal requirements there is going to be an increased risk
that agencies just will not have the complete information to detect,
investigate and even then remediate the cyber threats, and events, and
vulnerabilities that impact our various environments. And if these
challenges continue, what I said if, but when these challenges continue,
the federal government as a whole just may lack the necessary critical
information and insights for identifying potentially significant cyber
threats that we could respond to. 

[Holly Hobbs:] That was Jennifer Franks talking about federal efforts to
respond to and prevent cyber-based attacks. Thanks for your time,
Jennifer.

[Jennifer Franks:] Thanks for having me, Holly.

[Holly Hobbs:] And thank you for listening to the Watchdog Report. To
hear more podcasts, subscribe to us on Apple Podcasts, Spotify, or
wherever you listen and make sure to leave a rating and review to let
others know about the work we're doing. For more from the congressional
watchdog, the US Government Accountability Office, visit us at GAO.gov.