Three Key Areas Where GAO Has Helped Strengthen Cybersecurity Nationwide
Many of us may remember the 2010s as the data breach decade. No sector was spared. High-profile breaches included communications (Yahoo and Verizon), personal data collected by credit organizations (Equifax) and shopping centers (Target), and even the federal government (Office of Personnel Management).
In the wake of these attacks, GAO was asked by Congress to look at vulnerabilities and the actions needed to prevent and better respond to future incidents. And we did just that—helping to address key weaknesses to prevent future attacks. But technology and threats are always evolving. As new threats emerge, GAO continues to provide Congress and the American people insights into cyberthreats and recommendations to improve the security of your personal and public data.
Today’s WatchBlog post is part of our YourGAO series. This post looks at three areas of cybersecurity that your GAO has helped improve—and why we’re uniquely positioned to do so.
Image
Three areas of cybersecurity GAO has improved
First, let’s start with the big thing GAO has helped—the federal government. We’ve made about 4,000 recommendations to agencies since 2010 that have helped prevent cyberattacks and breaches, as well as respond to and recover from them more quickly. And agencies have acted on the vast majority of them (about 3,300).
Often, we won’t wait until the report is published to share our recommendations. We’ll share them as we do the work so that agencies can address vulnerabilities right away. For example, a couple years ago, we conducted an extensive review of the State Department’s cybersecurity. We looked big picture at how State manages cyber risks across its spread out, global presence. Our work resulted in hundreds of recommendations for improving these efforts. And State officials acted right away to address many of them.
The second big thing we’ve helped secure is critical infrastructure—things that keep our daily lives normal. Think of electricity grids, water and wastewater plants, food supply chains, banking systems, and telecommunications, all of which rely on computers and networks to operate. These are all important to our daily lives and big targets for our enemies.
In our work, we look at how the federal government collaborates with the private sector to ensure the lights stay on, water keeps running, and food stays safe. We’re also collaborating with industry experts to understand the unique challenge their sectors face. For example, many water and wastewater facilities are run by local governments. They may not have the staff or expertise needed to safeguard their systems from sophisticated cyberattacks. So, we want to know what the federal government is doing to help them. And we want to know whether others in this sector—maybe the neighboring cities or state government entities—are sharing best practices too. We look at these efforts and see if there’s ways to improve them.
The third area where GAO’s work has helped improve cybersecurity is for you! We’re doing a lot of work to understand the threats to data and privacy so that you are better protected. For example, we’re currently looking at how federal agencies are using artificial intelligence. Our recent blog post looks at how increased use of AI may help create efficiencies in government and improve customer service. But it also raises concerns about privacy.
Just like in the 2010 data breaches, the government continues to collect a lot of personal data from Americans. This includes addresses, Social Security and driver’s license numbers, tax info, as well as things like debt/mortgage/loan info. In the wrong hands, this info could be used to steal your identity or extort money. And we think the federal government should be doing more to protect you. So, in March, we recommended steps for how to address some risks posed by AI use.
In a new podcast, we sat down with GAO’s Nick Marinos, who leads our efforts auditing cybersecurity, to discuss our work in these three areas. Listen below.
GAO is uniquely positioned to inform some of the biggest cyber issues
Congress relies on GAO to provide members with timely, fact-based information about cybersecurity risks and threats. This includes responding to congressional questions about major attacks as they unfold. For example,
- In 2021, the SolarWinds software breach resulted from one of the most widespread and sophisticated hacks ever conducted against the federal government and private sector. Under this hack, the Russian Foreign Intelligence Service injected trojanized (hidden) code into a file that was later included in a SolarWinds software update. We were asked to quickly provide Congress with a timeline of what happened, how it happened, and what the failures were. We were also asked, in the aftermath, to analyze what steps were needed to address similar vulnerabilities.
- Also in 2021, Colonial Pipeline ransomware attack led to temporary disruption in the delivery of gasoline and other petroleum products across much of the Southeast. This attack on critical infrastructure highlighted the urgent need to address longstanding cybersecurity challenges. Prior to this attack, we had repeatedly raised concerns about similar risks.
Why is it important for GAO to do this work? Congress looks to GAO to be an independent voice on the actions needed to address cybersecurity. With no personal stake, we can say—without bias or conflict of interest:
- When more attention is needed to address a problem
- What were the real reasons for a vulnerability
- When legislation is needed to address a gap in oversight or protections
For example, GAO sometimes makes recommendations for Congress to take action. Here’s an important one we think Congress should address: Your personal information used by the government is protected by the 1974 Privacy Act. When that law was created, taxpayers’ information was stored in file cabinets on paper. There was no email, cellphones, or internet. Today, this information is more easily accessible. And it’s more valuable. It can be bundled and sold. It can be vulnerable to misuse and data breaches. We need an updated law that looks more cohesively and broadly at privacy expectations so that you’re protected.
We’ll continue looking for ways to improve cybersecurity. You can follow these efforts by checking out our work at GAO.gov.
- GAO’s fact-based, nonpartisan information helps Congress and federal agencies improve government. The WatchBlog lets us contextualize GAO’s work a little more for the public. Check out more of our posts at GAO.gov/blog.
- Got a comment, question? Email us at blog@gao.gov.
GAO Contacts
GAO's mission is to provide Congress with fact-based, nonpartisan information that can help improve federal government performance and ensure accountability for the benefit of the American people. GAO launched its WatchBlog in January, 2014, as part of its continuing effort to reach its audiences—Congress and the American people—where they are currently looking for information.
The blog format allows GAO to provide a little more context about its work than it can offer on its other social media platforms. Posts will tie GAO work to current events and the news; show how GAO’s work is affecting agencies or legislation; highlight reports, testimonies, and issue areas where GAO does work; and provide information about GAO itself, among other things.
Please send any feedback on GAO's WatchBlog to blog@gao.gov.