Most federal agencies lack cybersecurity strategies, says report

Most federal agencies lack a cybersecurity risk management strategy program and are susceptible to “the loss of sensitive data or compromise of agency systems,” according to a Government Accountability Office report.

In an audit of 23 agencies, the government watchdog found that only seven had proper cybersecurity firewalls in place and many said the greatest challenge was finding personnel to develop them.

“Federal agencies face cyber threats that continue to grow in number and sophistication,” the auditors wrote. “Yet, as GAO has previously reported, agencies have struggled to implement programs to effectively manage the risks to their information and information systems.”

The conclusions come on the heels of another GAO report on cybersecurity issues and enforcement across all the major agencies during fiscal 2018. That report found that 18 of 24 agencies were inadequately implementing their information security policies and practices. The GAO also noted that previous recommendations from its officials and from inspectors general were not being followed.

Analysts called attention to cybersecurity incidents at agencies ballooning from 29,999 in 2009 to 77,183 in 2015 — a 157% increase. Incidents included “web-based attacks, phishing attacks, and the loss or theft of computer equipment, among others.”

Both reports were issued late last week and noted that the federal government is lagging behind a May 2017 executive order from the Trump administration that said “agency heads are to be held accountable for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data.”

The executive order called for initiatives to address the major challenges to risk management including hiring and retaining cybersecurity talent and issuing clear risk guidance and standards.

Cybersecurity concerns have mounted in Washington as hacks and leaks of government data have caused dangerous and embarrassing episodes for several federal agencies.

The GAO’s report on the lack of cybersecurity risk management strategy highlighted the talent issue, with agencies admitting to challenges in “hiring and retaining key cyber management personnel.” The majority cited it as their leading cybersecurity problem.

Hiring challenges, the GAO said, stem from the lengthy federal hiring process and competition from private-sector companies that pay high salaries and offer other benefits.

The GAO noted comments from NASA’s chief cyber risk officer on the complexity of cybersecurity risk management — “a multi-disciplinary field that blends technical cyber expertise with project management principles and a business-focused management background.”

Additionally, that official emphasized that the government “lacks clearly defined roles for cyber risk management as a dedicated job function.”

The GAO added that while 23 agencies had designated risk executives, they often were not empowered to implement or enforce “agency- and system-level policies for assessing, responding to, and monitoring risk.”

The GAO recommended that the Office of Management and Budget and the Department of Homeland Security provide additional guidance and assistance to the agencies without risk assessment strategies.

The seven agencies found to have strategies for assessing cyber risks across their operations, assets, individuals and organizations were the departments of Commerce, Labor and State; the U.S. Agency for International Development; the General Services Administration; the Office of Personnel Management; and the Social Security Administration.