Federal agencies and our nation’s critical infrastructure—such as energy, transportation systems, communications, and financial services—depend on IT systems to carry out operations and process essential data. The security of these systems and data is vital to protecting individual privacy and national security.
However, risks to IT systems are increasing—in particular, malicious actors are becoming more willing and capable of carrying out cyberattacks. Additionally, there has been an increase in most types of cyberattacks across the United States, and the cost of these attacks is also increasing.
Most Common Types of Cybersecurity Incidents in the U.S.
Dollars in millions
Additionally, since many government IT systems contain vast amounts of personally identifiable information (PII), federal agencies must protect the confidentiality, integrity, and availability of this information—and effectively respond to data breaches and security incidents. Likewise, the trend in the private sector of collecting extensive and detailed information about individuals needs appropriate limits.
To highlight the importance of these issues, GAO has designated information security as a government-wide high-risk area since 1997. This high-risk area was expanded in 2003 to include the protection of critical cyber infrastructure and, in 2015, to include protecting the privacy of PII.
Ten critical actions needed to address four major cybersecurity challenges
GAO has made over 4,000 recommendations to federal agencies to address cybersecurity shortcomings. However, over 880 of these had not been fully implemented as of December 2022. Of these, we designated 134 as priority recommendations, meaning that we believe they warrant priority attention from heads of key departments and agencies. Until these shortcomings are addressed, federal and critical infrastructure IT systems will be increasingly susceptible to cyber threats.
For more on GAO's reports and recommendations, see the key reports tab below.