Federal cybersecurity is in a worse place than it was two years ago, with agencies failing to implement more than 750 recommended changes, including ones that could have prevented or helped the government respond to the recent Russian cyberattack on dozens of public and private organizations.
That’s the assessment the Government Accountability Office, a watchdog agency, gave Tuesday in its “high risk” report that it issues every two years to Congress. The report highlights the federal areas most in need of improvement and transformation, and in addition to cybersecurity shortcomings it listed issues such as weapons systems acquisitions and managing climate change risks.
But in a congressional hearing held Tuesday by the House Committee on Oversight and Reform, lawmakers appeared particularly concerned about deteriorating federal cybersecurity, especially given the SolarWinds attack that still has many unanswered questions.
“Last friday our committee had a hearing on the SolarWinds breach and received really frightening testimony about how a suspected Russian state actor infiltrated the networks of at least nine federal agencies and over 100 private sector companies,” Rep. Carolyn B. Maloney, the Chairwoman of the Committee on Oversight and Reform, said at the start of the hearing. “The vulnerability of federal and private sector systems, including critical infrastructure of the nation’s energy, transportation, communications, and financial sector, is absolutely staggering.”
The vulnerability of federal and private sector systems, including critical infrastructure of the nation’s energy, transportation, communications, and financial sector, is absolutely staggering.”— Rep. Carolyn B. Maloney, Chairwoman of the Committee on Oversight and Reform
Rep. Clay Higgins, a Republican from Louisiana who said he was particularly concerned with economic espionage, echoed that sentiment: “America’s interest is certainly much more heavily focused now on cybersecurity, as we should be.”
Gene L. Dodaro, the comptroller general of the GAO who testified before the lawmakers, said his organization has made 3,300 cybersecurity recommendations since 2010, and almost a quarter of them have yet to be addressed. About 70 of those recommendations are high priority, but Dodaro underscored that all 750 “can introduce vulnerabilities if not attended to.”
Rep. Maloney called the figures “unbelievably unacceptable.”
“We’ve Warned About It Before”
Asked if certain changes could have helped the government prevent or respond to the SolarWinds attack, Dodaro emphasized two recommendations that his agency has made: implementing IT supply chain best practices and appointing a White House cybersecurity coordinator.
Supply chain attacks aren’t particularly common, but can give attackers access to targets by first compromising a widely-used piece of software or other tool developed by a third party. In the SolarWinds breach, attackers linked to the Russian government trojanized the company’s Orion business software updates and used it to distribute malware to potentially thousands of customers. So far, the U.S. government has identified nine agencies targeted in for second-stage activity by the attackers.
“We’ve warned about it before,” said Dodaro. “None of the 23 agencies we looked at met all the [supply chain] best practices criteria.”
The second recommendation he highlighted was the absence of a White House cybersecurity coordinator that would support agencies and serve as a bridge between civilian and military components of the government. The position was eliminated in May 2018 to cut “another layer of bureaucracy,” according to then-National Security Advisor John Bolton. In January, Congress implemented a statutorily-established coordinator role for the White House, but the position has yet to be filled.
Asked if these changes would have prevented the SolarWinds attack, Dodaro said it would have been impossible to know but “it certainly would have led to an earlier discovery.”
Other highlights from the report and hearing include:
- The possibility of Congress mandating recipients of federal contracts to share information about data breaches with the federal government. Rep. Maloney brought up the idea after remarking on the “great resistance” that companies put up on information sharing, and Dodaro said such a policy would be helpful.
- There’s no quick fix for the cybersecurity talent gap. “You definitely don’t have enough people to provide [cybersecurity] services to both the private sector and government. We need an increased pipeline, there’s no question about that,” Dodaro said.
- The White House’s September 2018 National Cyber Strategy and the National Security Council’s accompanying June 2019 Implementation Plan were criticized for being rudderless. The plan detailed 191 activities that federal entities are to undertake, but did not include goals and timelines for 46 of them, identify resources needed to execute 160 of them, or specify a process for monitoring progress.