GAO reminds White House of cyber backlog
A congressional watchdog is sending a reminder to the White House that it has a long laundry list of cybersecurity regulations to address as the 2024 election draws near.
The Government Accountability Office is breaking biennial tradition with the latest update to its “high-risk list,” a term the watchdog uses to denote areas that are “vulnerable to waste, fraud, abuse, or mismanagement, or in need of transformation.”
Cybersecurity has been on the GAO’s high-risk list since 1997, Sarah Kaczmarek, acting managing director for GAO’s Office of Public Affairs, said during a call with reporters this week.
“That high-risk area has evolved as technology has changed, of course, and while this is an off year for the high-risk list, the comptroller general felt it was important to issue an update on our work on cybersecurity,” Kaczmarek said.
The more than 80-page report goes over four main areas: establishing a comprehensive cybersecurity strategy with effective oversight, securing federal systems and information, protecting critical infrastructure and protecting privacy and sensitive data.
The White House has yet to implement 567 out of 1,610 cybersecurity-related recommendations the government watchdog has issued since 2010, according to the report.
“A lot of them are really, really critical to securing the cybersecurity of our nation,” said Marisol Cruz Cain, director of information technology and cybersecurity at the GAO.
One of the biggest recent recommendations focused on implementing the national cybersecurity strategy. The GAO reported in February that the White House’s cybersecurity strategy implementation plan lacked performance measures and estimated costs, limiting the ability to determine the effectiveness of the strategy — a particularly salient point since the strategy is an evolving document meant to be updated once a year to keep up with the fast-changing field.
The Office of the National Cyber Director disagreed with the assertion, however, claiming that the field does not have “outcome-oriented performance measures to assess cybersecurity effectiveness.” Last month, the White House issued the first update to the implementation plan, which added 31 more initiatives.
However, the added measures did not address the GAO’s criticism, Cruz Cain said. “It did not establish any outcome-oriented performance measures, and we think that’s really important because there was a lot of time and effort put into both the strategy and the implementation plan. And how are we going to know if it’s successful if we don’t base that on certain outcomes that we want to see?”
Another major challenge is in critical infrastructure protection, with more than half of the 126 recommendations on the topic still unaddressed, the report said. While the GAO noted the administration took steps to address challenges in protecting critical networks like those that undergird water and electricity, the watchdog “has continued to report shortcomings in efforts to ensure the security of key critical infrastructures.”
The report noted that federal agencies in charge of critical infrastructure sectors should take a more active role in ensuring that best practices for defending against ransomware are followed. The GAO issued a report in January calling out federal agencies charged with overseeing critical manufacturing, energy, health care and transportation sectors that have little data on whether owners and operators have adopted best practices against ransomware.