With one click of a mouse, could an enemy of the United States black out major parts of the country or shut down the nation’s electronic communications? Could a hacker access a major bank and gain your personal information, and then clean out your accounts or steal your identity? Or send the stock markets into a tailspin, disrupting the economy?
Since 2010, GAO has made over 3,000 recommendations to agencies aimed at addressing cybersecurity shortcomings in each of these action areas. However, as of this month, about 1,000 have not been implemented. Until these shortcomings are addressed, federal agencies’ information and systems will be increasingly susceptible to the multitude of cyber-related threats that exist. There is much work to do to protect the public by both government and the private sector.
As part of the increasing amount of technology and science based work that the non-partisan, fact-based organization I lead—the Government Accountability Office—is doing, we have been examining federal efforts on several cybersecurity fronts including protecting Americans’ privacy, protecting critical infrastructure such as telecommunications and financial markets, and protecting the federal government’s own operational IT systems, such as those that are essential to the day-to-day workings of government.
Urgent actions are needed to address several cybersecurity challenges facing the nation. The risks to IT systems supporting the federal government and the nation’s critical infrastructure are increasing as security threats continue to evolve and become more sophisticated. These risks include escalating and emerging threats from around the globe, steady advances in the sophistication of attack technology, the emergence of new and more destructive attacks, and insider threats from disaffected or careless employees.
In particular, foreign actors—adversaries who may possess sophisticated levels of expertise and significant resources to pursue their objectives—pose increasing risks. Rapid developments in new technologies, such as artificial intelligence and the Internet of Things, will make the threat landscape even more complex and can also potentially introduce security, privacy, and safety issues that were previously unknown.
Compounding these risks, systems are often riddled with security vulnerabilities—both known and unknown. These vulnerabilities can facilitate security incidents and cyber-attacks that disrupt critical operations; lead to inappropriate access to and disclosure, modification, or destruction of sensitive information; and threaten national security, economic well-being, and public health and safety.
We have identified a range of critical cyber challenges facing the federal government today and critical actions needed now to address them. These include:
- Develop and execute a more comprehensive cybersecurity strategy that includes mitigating global supply chain risks and ensuring a sufficient workforce
- Securing federal systems and information and enhancing the federal response to cyber incidents
- Protecting cyber critical infrastructure such as the electricity grid and telecommunications
- Protecting privacy and sensitive data by updating federal privacy laws and creating a consumer privacy framework for the private sector, especially information resellers.
GAO has had this issue of information security on our High Risk list since 1997 and we will continue to track it as part of that list identifying programs that need concentrated attention from the Congress and the Administration. And we will be doing more work in technology and science because the pace of change and its impacts pose significant opportunities but also challenges for our nation. We have risen to such challenges as a nation before and I am sure we will so do again. But we must work harder and faster to address this present and growing threat.
Gene L. Dodaro is Comptroller General of the United States and head of the Government Accountability Office, a non-partisan Congressional watchdog agency.