What are the Biggest Challenges to Federal Cybersecurity? (High Risk Update)

Cyberattacks have the power to bring our daily lives to a screeching halt. Nearly everything we use to work, play, and live relies on computer systems that are vulnerable to attacks. For example, an attack on an electrical grid could leave millions without power during hot summer months. An attack on transportation systems could bring traffic to a standstill. If our financial institutions are attacked, bank accounts could be drained and important personal financial records shared online. And if our communications are disrupted at the same time, you could be left with no way to report an emergency or get help.

Malicious cyberattacks on the federal government and the nation’s critical infrastructures, like those described above, are growing in number, impact, and sophistication. Today’s WatchBlog post looks at our new report—an update of our High Risk designation for cybersecurity—about the four major challenges facing federal efforts to protect against attacks. 

Image

Challenge 1: National Cybersecurity Strategy isn’t as strong as it could be

Last year, the White House issued a National Cybersecurity Strategy outlining steps the government is taking to address the longstanding cybersecurity challenges facing the country. But how will the government know if its strategy is working? When we looked at the strategy, we found it needed outcome-oriented performance measures for various cybersecurity initiatives.

In addition, the federal government needs to take action to ensure it is monitoring the global supply chain, confirm it has the highly skilled cyber workforce it needs, and address risk associated with emerging technologies—such as artificial intelligence. The government and the private sector are at risk when emerging threats aren’t addressed.

We saw such an attack around January 2019 after a network breach at SolarWinds. The Texas-based network management software company was widely used by the government to monitor network activities and manage network devices on federal systems. A Russian-led attack on SolarWinds resulted in one of the most widespread and sophisticated hacking campaigns ever conducted against the U.S.

We’ve made nearly 400 recommendations to strengthen the National Cybersecurity Strategy and agencies’ ability to perform effective oversight. As of May, 170 of our recommendations have not been acted on.

Challenge 2: Agencies remain limited in their ability to improve the security of federal systems and information

Federal agencies rely extensively on computerized information systems to conduct day-to-day business, including interactions with the public. Many of these systems house important taxpayer information—including Social Security numbers, income information, tax filing information, loan data, and more.

Ineffective security controls could not only leave these systems vulnerable to attack, but also delay the response to attacks. For example, in December 2021, a vulnerability in a piece of open-source software known as “Log4j” was reported. Log4j is used to collect and manage information about system activities and is used in millions of federal and private information systems. A 2013 update of Log4j was intended to make data storage and retrieval easier. But in November 2021 (8 years later), a security engineer reported a vulnerability in the feature. Federal agencies were directed to address this vulnerability. Even though there hasn’t been a known Log4j-based attack on federal IT, the weakness was deemed an “endemic vulnerability”—meaning that vulnerabilities will remain in systems for years despite actions to address them.

We’ve reported on federal efforts to help agencies address weaknesses like these so that systems and information are more secure. We’ve made more than 800 recommendations to improve efforts. But 221 of these recommendations have not been implemented, as of May. Doing so can greatly enhance the federal response to cyber incidents.

Challenge 3: Critical infrastructure sectors remain vulnerable to disruptive attacks

A ransomware attack on Change Healthcare, a health payment processor, made headlines. The attack shut down operations, resulting in nearly $874 million in financial losses and widespread disruptions for providers and patient care. Medical procedures were delayed and patients were unable to access medications.

Health care is just one of our 16 critical infrastructure sectors that is vulnerable to cyberattacks. All of these sectors rely heavily on IT systems to operate.

Image

Attacks on critical infrastructure sectors continue to grow and could seriously harm human safety, national security, the environment, and the economy. The federal government has taken some steps to address the challenges with protecting these systems from cyberattacks. But we see persistent shortcomings in these efforts. For example:

• In January, we reported that the federal agencies responsible for the four sectors that have reported almost half of all ransomware attacks—health care and public health, critical manufacturing, energy, and transportation—had not determined whether their actions to prevent future attacks include leading practices.
• In March, we reported on the challenges agencies face when collaborating with the Cybersecurity and Infrastructure Security Agency (CISA) on mitigating cyber risks in their sectors. These challenges included sharing information about potential threats.
• Last December, we highlighted challenges reported by nonfederal entities in accessing the support they need from the federal government to address vulnerabilities.

We’ve made 126 recommendations to better protect the cybersecurity of critical infrastructure. Action is still needed on 64 of them.

Challenge 4: Efforts to protect your personal privacy face limitations

In March, AT&T reported that some of its data—which included sensitive personal information such as Social Security numbers and passcodes—had been released onto the dark web. As many as 7.6 million current and approximately 65.4 million former AT&T account holders were affected.

Attacks like these are becoming more common. At the same time, we found that federal agencies are limited in their ability to help prevent and respond to them. In 2022, we reported about the risks posed by the increasing collection and use of personal information from consumers. For example, companies collect personal and transactional data to create consumer scores, which are used to predict how consumers will behave in the future.

While collection and use of personal data increases, there’s still no comprehensive U.S. internet privacy law about companies’ collection, use, or sale of your data. This leaves consumers like you with limited assurances that your privacy will be protected.

Data the government collects about you is also at risk. In August 2023, we reported on how the IRS monitors access to sensitive taxpayer information. We found that IRS didn’t have a comprehensive inventory of the systems that store this information, limiting its ability to protect data.

On the topic of protecting privacy and sensitive data, we have made nearly 250 recommendations—112 still require action.

What needs to happen next?

Our new report provides an update on the federal government’s progress with addressing cybersecurity challenges and our recommendations to tackle them. In total, we’ve identified 567 recommendations that still need action.

Until actions are taken and our recommendations are implemented, the federal government, the national critical infrastructure, and the personal information of U.S. citizens will be increasingly susceptible to a multitude of cyber-related threats.

• GAO’s fact-based, nonpartisan information helps Congress and federal agencies improve government. The WatchBlog lets us contextualize GAO’s work a little more for the public. Check out more of our posts at GAO.gov/blog.