From the U.S. Government Accountability Office, www.gao.gov

Transcript for: Urgent Actions Needed to Address Federal Cybersecurity
Challenges

Description: Threats to our nation's cybersecurity infrastructure were
once again highlighted after reports in December of a mass-breach of
U.S. government agencies, businesses and contractors. GAO has included
cybersecurity on our list of High Risk Areas in government since 1997. 
We'll get an update on the federal government's efforts to address these
risks from cybersecurity experts--Jennifer Franks and Vijay D'Souza.

Related GAO Work: GAO-21-288, High-Risk Series: Federal Government Needs
to Urgently Pursue Critical Actions to Address Major Cybersecurity
Challenges

Released: March 2021 

[Intro music:]

[Vijay D'Souza:] The constant threats that federal agencies face
demonstrate the importance getting the cybersecurity issue right, and
getting it right as quickly as possible.

[Holly Hobbs:] Hi and welcome to GAO's Watchdog Report, your source for
news and information from the U.S. Government Accountability
Office--celebrating 100 years of fact-based, non-partisan government
oversight. I'm Holly Hobbs.
Threats to our nation's cybersecurity infrastructure were once again
highlighted after reports in December of a mass-breach to U.S.
government agencies, businesses and contractors. We at GAO have long
reported on the challenges and risks surrounding federal cybersecurity,
and have included cybersecurity in our list of High Risk Areas in
government since 1997.  

Today, we'll get an update on the federal government's efforts to
address these risks. We'll talk with 2 GAO cybersecurity
experts--Jennifer Franks and Vijay D'Souza, who are both directors in
our Information Technology and Cybersecurity Team. Thank you for joining
us Jennifer and Vijay!

[Vijay D'Souza:] Thanks. Great to be here.

[Jennifer Franks:] Thanks for having us.

[Holly Hobbs:] So Vijay, we've heard a lot about cybersecurity
recently--because of the SolarWinds and the Microsoft Exchange attacks.
Generally, how do those attacks relate to the topics in our report? 

[Vijay D'Souza:] So, these attacks are really significant, and GAO
actually has work underway looking at the federal response to these
attacks. This report focuses more on our prior work, but a lot of the
themes we've identified are still relevant. So, for example, we recently
did some work looking at supply chain issues, which is what the
SolarWinds attack demonstrated. And we found a number of weaknesses in
that. And then we've emphasized a need for a single leader for
cybersecurity response efforts and the complexity in efforts to respond
to both the SolarWinds and the MS Exchange breaches have demonstrated
the importance in having that single leader overall of the federal
response efforts. 

[Holly Hobbs:] We've issued 40 reports with hundreds of recommendations
for improving the government's cybersecurity efforts in just the last
two year alone. Can you tell us, broadly speaking, what are the
cybersecurity challenges? 

[Vijay D'Souza:] The first challenge is really developing a
comprehensive federal strategy-- looking at things like supply chain
risk and emerging technology--such as artificial intelligence and the
Internet of Things. The second one is looking at both individual federal
agency IT security programs and government-wide cybersecurity
initiatives run by a group such as the Department of Homeland Security.
The third area is critical infrastructure. Most of the critical
infrastructure in the U.S. is not operated by the federal government.
So, how does the federal government work with private companies to share
critical cybersecurity information? And then the last area is looking at
federal efforts to protect privacy and sensitive data. 

[Holly Hobbs:] Jennifer, we've reported on cybersecurity challenges for
more than 20 years. Why does the federal government continue to struggle
in addressing these challenges?  

[Jennifer Franks:] Some of the key reasons why this was added 20 years
ago are still true to this day. For instance, we still see that senior
agency officials lack the full awareness of cybersecurity risks that are
facing their agencies. We also see that agencies in many, many cases
have poorly designed and implemented security programs. And we also have
a shortage of personnel. So we're looking at the personnel with lack of
training and technical expertise that is really needed to manage
security controls in today's sophisticated environment. So, the threat
landscape has changed, but the cybersecurity challenges persist. 

[Holly Hobbs:] And our new report provides an update on the federal
government's efforts to enhance cybersecurity. Did we find any
improvements? 

[Jennifer Franks:] Yes. Absolutely. The Department of Homeland
Security's Cybersecurity and Infrastructure Security Agency (CISA) has
taken a number of steps recently to become more proactive in leading and
strengthening federal in critical infrastructure cybersecurity. And we
had two reports last year that looked at some of those improvements.
One, reported efforts on DHS having a statutory authority to issue
binding operations directives, which required safeguards for civilian
agencies information systems. And then we had another report that looked
at CISA helping state and local election officials to secure voter
registration, voting machines, and other election infrastructure given
the upcoming election. 

[Holly Hobbs:] And what remains to be done? 

[Jennifer Franks:] Well, since 2010, we have issued about 3,300
recommendations. And agencies have implemented about 2,700 of those
recommendations. These recommendations span across the four
cybersecurity challenges that Vijay noted earlier on. Many of the
agencies and the critical infrastructure entities continue to face
challenges in safeguarding their information systems and the data on
these systems. And a lot of it has to do with not implementing some of
our recommendations. In December 2020, we notified Congress that there
were 750 of our recommendations that had not been implemented. And there
are about 103 that we have made priority recommendations, and 67 have
not yet been implemented. 

[Music]

[Holly Hobbs:] So it sounds like federal agencies have made progress in
securing their IT systems and other critical infrastructure against
cyberattacks, but that there are still some challenges, some weaknesses
that put the nation's cybersecurity at risk. Jennifer, within those
hundreds of recommendations we've made about cybersecurity, which
actions are the most urgent? 

[Jennifer Franks:] Well, Vijay already mentioned one--to highlight the
need for a central leadership office to centralize and coordinate
cybersecurity-related organization across the federal government. With
the current administration, we've yet to see someone nominated for the
position. We think that identifying an individual for this
position--that we may see some improvement with federal government
coordination and collaboration so that they can be more ready to respond
to the continued cyberattacks and challenges. We've also seen the prior
administration's cybersecurity strategy and implementation plan detail
some of the approaches to managing the nation's cybersecurity. But we
found that they're not always addressing the desirable characteristics
of national strategies, such as the goals and the resources that are
needed-- and that could be personnel or financial. 

[Holly Hobbs:] And last question team, what's the bottom line of this
report? Jennifer, let's start with you.

[Jennifer Franks:] Bottom line for me is for the federal government to
better manage its information technology and apply more urgency to
ensuring cybersecurity across our nation. 

[Holly Hobbs:] And Vijay?

[Vijay D'Souza:] Well, I think that--in addition to what Jennifer said--
these recent two cyberattacks and the constant ongoing stream of attacks
and threats that federal agencies face demonstrate the importance of
really getting the cybersecurity issue right, and getting it right as
quickly as possible.

[Holly Hobbs:] That was GAO's Jennifer Franks and Vijay D'Souza talking
about their new report on cybersecurity challenges facing the nation.
Thank you for your time, Jennifer and Vijay.

[Jennifer Franks:] Thank you for having us!

[Vijay D'Souza:] Thank you.

[Holly Hobbs:] And thank you for listening to the Watchdog Report. To
hear more podcasts, subscribe to us on Apple Podcasts. And make sure you
leave a rating and review to let others know about the work we're doing.
For more from the congressional watchdog, the U.S. Government
Accountability Office, visit us at GAO.gov.