Title: America’s Cybersecurity Risks and How GAO Is Helping to Address Them Related work: https://www.gao.gov/cybersecurity Description: On this special episode of the Watchdog Report podcast, we discuss GAO’s role in auditing and improving America’s cybersecurity. Our guest is Nick Marinos, GAO’s managing director of our team on Information Technology and Cybersecurity. Released: April 2026 [Holly Hobbs:] From GAO's Watchdog Report, your source for fact-based, nonpartisan news and information from the U.S. Government Accountability Office—I’m Holly Hobbs. A cyberattack on the federal government or critical infrastructure (like communications networks or our financial systems) could have significant impacts. Here at GAO, we have a team of analysts that investigate cyberthreats and weaknesses both within and outside of the federal government. Through this work, our little agency plays a big role in making sure Americans are safe from attacks. On this special episode of the Watchdog Report—as part of our YourGAO series—we’ll talk with GAO’s Nick Marinos, who leads the team that does this work. Thanks for joining us. [Nick Marinos:] It's my pleasure. [Holly Hobbs:] Nick, what is GAO’s role in overseeing cybersecurity issues? [Nick Marinos:] I would say that we are a small but mighty part of that oversight. For years, Congress relied on us to provide them with a better sense of how the federal government is approaching the tall task of protecting the entire nation from cyberattacks. So not only thinking about the specific protections that federal government agencies have on their own systems and networks, but thinking big picture. How does the federal government protect a nation that has most of its infrastructure owned and operated by the private sector, too? [Holly Hobbs:] So when we audit cybersecurity, what are we looking for when it comes to what agencies are doing? [Nick Marinos:] So there's kind of two ways that we walk into that type of work. The first is ‘oops, an attack has happened.’ In that case the focus is on understanding the impact of an incident. So thinking about probably one of the biggest ones—it's a bit dated but it's the most impactful—back in the early 2010s, we saw the Office of Personnel Management get attacked. And in truth, it was actually someone working on behalf of OPM that was hacked. Someone was able to gain access into sensitive files and able to withdraw from it the sensitive information on millions of federal employees and retired employees as well. That was probably one of the first big red alarms that went off that we needed to think differently on how we protect the government from these types of attacks. So when we did work in that area, our first focus was on understanding the impact. What was taken? And not only that, but then what did the government itself do in reaction to it? Because this was about personal records, then we're concerned about privacy. Identity theft becomes a risk as well. OPM offered identity theft protection services to those affected individuals. So some of our work was able to weigh in on, like, were those the right steps that they took? Make recommendations to see how, not only can they do it better now, but in the future as well. So that's one piece of it. The other piece is truly understanding why it happened. What were the vulnerabilities that were taken advantage of to make the attack successful? And that's where we end up with recommendations that are going to protect the government agency right away, because we don't sit on that information. If our technical experts identify a vulnerability, we're going to let them know about it. We're still going to write about it, but we're going to let them know so they can protect themselves immediately. [Holly Hobbs:] Can we talk about an example? [Nick Marinos:] Yeah, for sure. [Holly Hobbs:] Can we talk about SolarWinds? [Nick Marinos:] We can talk about SolarWinds. [Holly Hobbs:] Did we do—did we end up doing audit work on SolarWinds? [Nick Marinos:] We did a variety of reviews looking at that. And for folks that may not be familiar with it, when we're talking SolarWinds we're talking about a very complicated set of vulnerabilities that led to weaknesses, not only within federal government agencies, but across the globe. Private companies, big and small, were affected by this. And the bottom line is it's a perfect example of how complicated protecting oneself from cyberattacks is. In the case of SolarWinds, it all started with vulnerabilities in software that were then used by these federal government agencies. When we did our work, we were asked a couple of questions. First is, what the heck is SolarWinds? Like What is the vulnerability, and how can we then protect ourselves from it? In some ways we're also there to be the tech explainers, you know, to be able to explain not only the nature of an attack, but to better understand how the technology interacts with the federal government. [Holly Hobbs:] So the second area we look at is critical infrastructure, much of which is not within the federal government. What kind of work are we doing in that area? [Nick Marinos:] Yeah, this is probably the one that is the widest in range of topics. It's also the place where we do the most collaboration with the experts in particular industries and sectors at GAO, and the cyber-nerds within my team. I'm being one of them so I can say that. So, I like to think of infrastructure as being the stuff that keeps our daily lives normal. We want the thing to work the way we expect it, whether it’s safe water coming out of our faucets. It's all the lights that are here in this room working properly with no brownouts. It's the food that we eat. Having a good supply chain so that we don't have shortages or the potential that someone could do harm to our food as well. So the way that we fit into this is looking more specifically at how the government establishes relationships with the private sector. There are what's called sector risk management agencies. What that means is very basically that you've got folks like the U.S. Department of Agriculture coordinating and connecting with the associations and farmers and companies that provide us the food that we eat. Or if we're thinking about the grid that we're working with, not only the electricity grid regulators but also the owners and operators of power grids around the nation to come up with standards and expectations on the basic cybersecurity that everybody should have. And then also be in a position to share information. So let's say that you've got a telecom company that's identifying some kind of suspicious information. They're not only sharing it actually with the government, but they're also sharing it among competitors, because in a lot of ways a vulnerability to one big company could be something that other companies are seeing as well. We come in in this space to look at not only the partnerships, but the expectations that the government is setting. There are ways for the government to set regulations that then levels everybody up. The problem in this space is that you've got mom and pop shops. You've got local municipalities managing water. You've got people that may not have the IT skills, the funding and resources, and the know how to actually protect themselves adequately to keep up with software updates. And so we'll look at ways that the government can do that better, make recommendations around not only the collaboration between these groups, but the expectations that are being set. [Holly Hobbs:] So far we've talked about these big things, right? Federal government is big. Critical infrastructure is mostly big. What are we doing to protect people—just everyday people? [Nick Marinos:] Yeah. So that's a big area that we've seen grow. I feel like the 2010s was like the data breach decade. Back in the early 2010s there were some big, high-profile ones like Yahoo got hacked. Verizon got hacked. There are some big companies affected by these big breaches that were calling into question whether they could adequately protect our data. The government is no exception to this. Since 1974, 50 years ago, we've had expectations set in law through the Privacy Act that says that the government is going to protect our personal information. It's going to use it for the purposes that it specified and no more than those. And it's going to provide security around it. Unfortunately, what we've seen is that that personal information is highly valuable. It may be highly valuable to criminals that want to use it for identity theft. It may be highly valuable to other nation states that want to paint a broader picture about the nation itself or about its individuals. The way that we fit into this is really trying to help bolster federal government agencies to be thinking about privacy early on. So as they’re thinking about developing new technology, acquiring new systems, not just thinking about whether it's adequately protected, but that the privacy of that information is going to be properly handled and protected itself. The other piece of this, too, from the privacy perspective is understanding what the government's role is in regulating the way with which private companies manage our data, use it as business—I mean, it's a big moneymaker from a reselling perspective—, and to see what we can do to better ensure that they're doing that properly. The challenge within our nation is that we do have a patchwork of laws when it comes to privacy. Even though GAO has been on record for over 10 years calling for Congress to think about establishing a more cohesive and, broad set of privacy expectations for the whole nation, we're still looking at individual states and how they themselves expect companies that operate within their states to protect our information. And that makes it really challenging. [Holly Hobbs:] Technology's always changing. And what we do to prevent cyber attacks is going to change too. How are we looking into that evolving environment? [Nick Marinos:] Yea, ultimately in this space, it's a combination of understanding what is the current state of things and what will it be. That part's very tough. So I'll take as an example, artificial intelligence. We're currently doing work and assessing—not only the ways with which federal agencies are trying to protect itself against AI-enabled attackers. But we're also thinking about it from a defensive perspective. How federal government agencies are looking to leverage that technology to protect themselves as well. As we do our work, we're trying to modernize the way we do it as well. We have a collection of experts within our team that not only talks the talk but also walks the walk. This is a group of individuals that often come from the private sector or come in with technical expertise into our team. We leverage that expertise for a lot of those agency-specific reviews where we want to sit down with the smart people at the federal agencies and have people that can speak their language, that can actually talk through the specific settings that they have, the specific ways that they're using software so that we can give more prescriptive perspectives on how they can do it better. [Holly Hobbs:] GAO’s a building full of auditors. Auditors are great at pointing out what people are doing wrong. What problems have we helped solve or issues have we made better? [Nick Marinos:] So I'm really proud to be able to say thousands and know I can back it up with data, because I'm an auditor, right? I got to do that. So we talk often about the number of recommendations we've made, which is around 4,000 since 2010, which is a ton of recommendations. But we've seen upwards of like 3,300 or so get implemented. That means that a federal agency has said, ‘We hear you, GAO. We're working on corrections. And oh, not only have we done it, but we can demonstrate that to you.’ So a lot of things happen on the audit after the report is actually issued, especially within this space. One of the most satisfying efforts that I see my team go through is—on those big reviews where we have sometimes hundreds of recommendations—when we get to issuing a public report, dozens of those may have already been corrected by the agency. What's great about that is one is they're obviously better protected. And two, we can give them credit. We can say, like, ‘Hey, to their credit, they move really fast on these.’ So I'll give you a specific example on this. A couple of years ago, we did a very extensive review at the State Department. We looked at how do they approach managing cyber risk as a very federated, just spread-out institution that has to protect its buildings and systems within the nation, as well as every post and embassy consulate in other countries. And imagine, having to protect from cyberattacks in a foreign nation. That could be really challenging. So we did the work more broadly, looking at ways that they could better organize themselves to confront that. We also did technical work. We issued a report that had hundreds of recommendations on how they can do those protections better. Man, they were quick to move to implement them. So that just kind of gives you an example of the way that we work closely with other departments and agencies as well. [Holly Hobbs:] You lead the team that does all this work. What can you tell us about your team? [Nick Marinos:] I get goosebumps just answering the question. I have the best colleagues, across the board. They are creative, they are curious, and they are super dedicated. The team that we've built at GAO over decades, intentionally, was aimed at not only putting us in a position to answer the big questions but to have technical experts on hand that can solve tough problems at federal government agencies. And, oh, by the way, help GAO itself as it's protecting itself from cyber threats as well. We have people that come from all walks of life when it comes to IT. We have people that are thinking bigger picture about the public policy issues. So thinking about tough legal problems related to cybersecurity, all the way to the super technical folks that manage their own systems and networks just to stay on top of their skills. And that's really important because you don't want to sit in a room with super smart and super technical folks at agencies and have them say, like, ‘what do you know?’ And truly be like, ‘Meh, I'm just the auditor here.’ It's great to have experts there that are able to say, ‘I know because I'm doing this. I know because I have fully experienced what it means to identify the vulnerability and protect it for networks that I have maintained as well.’ [Holly Hobbs:] Congress is interested in cybersecurity issues. They've asked us to audit cybersecurity through all the things we've discussed today. But what can Congress do to help federal agencies? [Nick Marinos:] Yeah, there's a couple of things I think Congress has done recently that have been really important and impactful. One is—and we had a hand in it—we had issued reports about 5-6 years ago that focused on the need for more clear leadership to be defined within the White House. We needed a point person that someone could look to, not only in times of trouble where, like, an attack may have happened, but also to look for the strategic vision of the entire nation. We didn't have one set in law. And so GAO through its work was able to recommend Congress to think about putting in law the creation of that position. About a year later, Congress passed a law to establish the National Cyber Director position. Other ways that Congress has done outstanding oversight is by holding hearings, by doing their own investigations. And we often are enhancing those through the work that we do as well. Where I think Congress can do more is to try to stay ahead of the technology advances. And they're trying. So thinking about, for example, ways that they are pursuing legislation regarding artificial intelligence. Looking at how CISA is being empowered to, not only enforce strong protections across the federal government agencies, but support those owners and operators out there that may not have the capabilities to do it themselves. One place that I would also say we've been encouraging Congress to strongly consider updating that law from 1974. The Privacy Act was written at a time when obviously technology was being used very differently. So when we think about the premise of a law that's focused on how the government manages and uses our personal information, at that time, it was probably more like in file cabinets, which is a very different era than where data sets can quickly go out the door or be misused if there aren't appropriate protections in place. So we think that it's time to consider, for example, establishing a Chief Privacy Officer within each federal government agency who has the responsibility of making sure that they can loudly say privacy needs to be considered early in, not only IT decisions but policy decisions as well. [Holly Hobbs:] Why is it important that GAO do this work versus, say, an IG or the private sector or anybody else? What do we bring to the table? [Nick Marinos:] We bring a lot. I would point to independence as probably the most important piece of this. You need an independent perspective to know that things are being done adequately, for Congress itself to have a clear picture of where we're falling short, because that's how they're going to understand not only the laws to pass, but the funds to appropriate to make sure that we have, for example, a workforce that can do this in an adequate fashion. So I think putting us in that independent perspective is not only a benefit to Congress, but a benefit to those that we audit as well. {Music} [Holly Hobbs:] Nick, thanks for your time. [Nick Marinos:] Oh, thank you so much. It was a blast, Holly. [Holly Hobbs:] And thank you for listening to the Watchdog Report. To hear more podcasts, subscribe to us on Apple Podcasts. And make sure you leave a rating and review to let others know about the work we’re doing. For more from the congressional watchdog, the U.S. Government Accountability Office, visit us at GAO.gov.