GAO Warns Feds Putting Off 'Urgently Needed' Cybersecurity Steps

GAO Warns Feds Putting Off ‘Urgently Needed’ Cybersecurity Steps

Cyber Head Notes Ongoing Issues at DOE, CISA

Shutterstock

Dec 3, 2021 | Holden Mann

An official from the Government Accountability Office warned that the government still has not implemented critical infrastructure cybersecurity measures.

The Government Accountability Office (GAO) warned on Thursday that the federal government has yet to take “urgently needed” actions to protect the nation’s critical infrastructure, including the electric grid, from cyberattacks.

In written testimony to the U.S. House of Representatives’ Transportation and Infrastructure Committee, Nick Marinos, GAO’s director of information technology and cybersecurity, highlighted incidents such as the ransomware attack against Colonial Pipeline in May, which led the company to shut down its entire network, temporarily halting nearly half the supply of gasoline, diesel and other fuel products to the U.S. East Coast. (See Colonial CEO Welcomes Federal Cyber Assistance.)

While the Colonial attack demonstrated that cyberthreats targeting critical infrastructure are growing rapidly, Marinos said that “GAO’s recommendation to develop and execute a comprehensive national cyber strategy is not yet fully implemented.”

Marinos specifically noted the lack of follow-through on GAO’s March report that spotlighted the vulnerability of electric distribution systems to cyberattacks. (See Distribution a Cyber Weak Point, GAO Warns.) In that report, GAO observed that the Department of Energy had no plans to study the impact of a cyber threat to these systems, much less mitigate it.

Marinos said that although DOE “agreed with our recommendation” the needed actions had not been taken as of November.

He also criticized the federal government for neglecting its role in protecting national critical infrastructure. GAO has made multiple recommendations in this regard as well, which Marinos chided the government for not following. (See GAO Pushes Agencies for Action on Resilience.)

A major focus of Marinos’ 24-page statement was the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), established in 2018 to “[protect] federal civilian agencies’ networks from cyber threats and to enhance the security of the nation’s critical infrastructure in the face of both physical and cyber threats.” The Senate confirmed former Morgan Stanley executive Jen Easterly to head CISA in July. (See Senate Confirms Easterly as CISA Chief.)

GAO issued a report in March calling for organizational changes to CISA to address complaints about the agency from public- and private-sector stakeholders, including “lack of clarity surrounding its organizational changes and the lack of stakeholder involvement in developing guidance.” While these actions have not been implemented, Marinos said that DHS had “concurred” with them and plans to fully implement them by the end of next year.

GAO did win approval of its recommendation for creation of a National Cyber Directorate within the White House. The directorate’s first head, Chris Inglis, was confirmed by the Senate in June. (See Inglis, Easterly Define Roles in Confirmation Hearing.) Marinos called this an “important first step,” saying the cyber director can help coordinate the actions of various groups across government and perform oversight of their activities.

He likewise praised Inglis’ issuance of a strategic intent statement in October as a positive move.

Nevertheless, Marinos warned that the October document — which lays out a vision for the office and high-level lines of effort including planning and incident response, budget review and assessment, and federal cybersecurity goals — falls short of a true national cyber strategy, which he called “more urgent than ever.”

FERC & Federal