January 20, 2022

News

News Network

Cybersecurity: Federal Actions Urgently Needed to Better Protect the Nation’s Critical Infrastructure

9 min read
<div>What GAO Found GAO has previously reported on major cybersecurity challenges facing the nation and the critical federal actions needed to address them (see figure). Four Major Cybersecurity Challenges and 10 Associated Critical Actions To address critical infrastructure cybersecurity, key actions the federal government needs to take include (1) developing and executing a comprehensive national cyber strategy and (2) strengthening the federal role in protecting the cybersecurity of critical infrastructure. Develop and execute a comprehensive national cyber strategy. In September 2020, GAO reported that the White House's 2018 National Cyber Strategy and related implementation plan addressed some, but not all, of the desirable characteristics of national strategies, such as goals and resources. GAO also reported that it was unclear which official within the executive branch ultimately maintained responsibility for coordinating the execution of the National Cyber Strategy. Accordingly, GAO recommended that the National Security Council update the cybersecurity strategy and for Congress to consider legislation to designate a position in the White House to lead such an effort. In January 2021, a federal statute established the Office of the National Cyber Director within the Executive Office of the President. In June 2021, the Senate confirmed a Director to lead this new office. In October 2021, the National Cyber Director issued a strategic intent statement, outlining a vision for the Director's planned high-level lines of efforts. The establishment of a National Cyber Director is an important step toward positioning the federal government to better direct activities to address the nation's cyber threats. Nevertheless, GAO's recommendation to develop and execute a comprehensive national cyber strategy is not yet fully implemented. As a result, a pressing need remains to provide a clear roadmap for addressing the cyber challenges facing the nation, including its critical infrastructure. Strengthen the federal role in protecting the cybersecurity of critical infrastructure. Pursuant to legislation enacted in 2018, the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security (DHS) was charged with responsibility for, among other things, enhancing the security of the nation's critical infrastructure in the face of both physical and cyber threats. In March 2021, GAO reported that DHS needed to complete key activities related to the transformation of CISA, including finalizing the agency's mission-essential functions and completing workforce planning activities. GAO also reported that DHS needed to address challenges identified by selected critical infrastructure stakeholders, including having consistent stakeholder involvement in the development of related guidance (see figure). Accordingly, GAO made 11 recommendations to DHS. As of November 2021, DHS had not yet implemented them, though it stated its intent to do so. Cybersecurity and Infrastructure Security Agency (CISA) Coordination Challenges Reported by Stakeholders Representing the 16 Critical Infrastructure Sectors Regarding specific critical infrastructure sectors, since 2010 GAO has made about 80 recommendations to enhance the cybersecurity of these sectors and subsectors, including within the aviation and pipeline industries. In October 2020, GAO reported that, although the Federal Aviation Administration had established a process for certification and oversight of U.S. commercial airplanes, it had not prioritized risk-based cybersecurity oversight or included periodic testing as part of its monitoring process, among other things. In July 2021, GAO testified that the Transportation Security Administration had not fully addressed pipeline cybersecurity-related weaknesses that GAO had previously identified, such as aged protocols for responding to pipeline security incidents. Until GAO's recommendations to address issues such as these are fully implemented, federal agencies will not be effectively positioned to ensure critical infrastructure sectors are adequately protected from potentially harmful cybersecurity threats. Why GAO Did This Study Federal agencies and the nation's critical infrastructure—such as transportation systems, energy, communications, and financial services—are dependent on information technology systems to carry out operations. The security of these systems and the data they use is vital to public confidence and national security, prosperity, and well-being. GAO first designated information security as a government-wide high-risk area in 1997. This was expanded to include protecting (1) cyber critical infrastructure in 2003 and (2) the privacy of personally identifiable information in 2015. In 2018, GAO reported that the federal government needed to address four major cybersecurity challenges: (1) establishing a comprehensive cybersecurity strategy and performing effective oversight, (2) securing federal systems and information, (3) protecting cyber critical infrastructure, and (4) protecting privacy and sensitive data. Within these four challenges are 10 actions critical to successfully dealing with the serious cybersecurity threats facing the nation (see the figure identifying the four challenges and 10 actions). GAO was asked to testify on the federal government's efforts to address critical infrastructure cybersecurity. For this testimony, GAO relied on selected products it previously issued.</div>

What GAO Found

GAO has previously reported on major cybersecurity challenges facing the nation and the critical federal actions needed to address them (see figure).

Four Major Cybersecurity Challenges and 10 Associated Critical Actions

To address critical infrastructure cybersecurity, key actions the federal government needs to take include (1) developing and executing a comprehensive national cyber strategy and (2) strengthening the federal role in protecting the cybersecurity of critical infrastructure.

Develop and execute a comprehensive national cyber strategy. In September 2020, GAO reported that the White House’s 2018 National Cyber Strategy and related implementation plan addressed some, but not all, of the desirable characteristics of national strategies, such as goals and resources. GAO also reported that it was unclear which official within the executive branch ultimately maintained responsibility for coordinating the execution of the National Cyber Strategy. Accordingly, GAO recommended that the National Security Council update the cybersecurity strategy and for Congress to consider legislation to designate a position in the White House to lead such an effort.

In January 2021, a federal statute established the Office of the National Cyber Director within the Executive Office of the President. In June 2021, the Senate confirmed a Director to lead this new office. In October 2021, the National Cyber Director issued a strategic intent statement, outlining a vision for the Director’s planned high-level lines of efforts. The establishment of a National Cyber Director is an important step toward positioning the federal government to better direct activities to address the nation’s cyber threats. Nevertheless, GAO’s recommendation to develop and execute a comprehensive national cyber strategy is not yet fully implemented. As a result, a pressing need remains to provide a clear roadmap for addressing the cyber challenges facing the nation, including its critical infrastructure.

Strengthen the federal role in protecting the cybersecurity of critical infrastructure. Pursuant to legislation enacted in 2018, the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security (DHS) was charged with responsibility for, among other things, enhancing the security of the nation’s critical infrastructure in the face of both physical and cyber threats. In March 2021, GAO reported that DHS needed to complete key activities related to the transformation of CISA, including finalizing the agency’s mission-essential functions and completing workforce planning activities. GAO also reported that DHS needed to address challenges identified by selected critical infrastructure stakeholders, including having consistent stakeholder involvement in the development of related guidance (see figure). Accordingly, GAO made 11 recommendations to DHS. As of November 2021, DHS had not yet implemented them, though it stated its intent to do so.

Cybersecurity and Infrastructure Security Agency (CISA) Coordination Challenges Reported by Stakeholders Representing the 16 Critical Infrastructure SectorsFour Major Cybersecurity Challenges and 10 Associated Critical Actions

Regarding specific critical infrastructure sectors, since 2010 GAO has made about 80 recommendations to enhance the cybersecurity of these sectors and subsectors, including within the aviation and pipeline industries. In October 2020, GAO reported that, although the Federal Aviation Administration had established a process for certification and oversight of U.S. commercial airplanes, it had not prioritized risk-based cybersecurity oversight or included periodic testing as part of its monitoring process, among other things. In July 2021, GAO testified that the Transportation Security Administration had not fully addressed pipeline cybersecurity-related weaknesses that GAO had previously identified, such as aged protocols for responding to pipeline security incidents. Until GAO’s recommendations to address issues such as these are fully implemented, federal agencies will not be effectively positioned to ensure critical infrastructure sectors are adequately protected from potentially harmful cybersecurity threats.

Why GAO Did This Study

Federal agencies and the nation’s critical infrastructure—such as transportation systems, energy, communications, and financial services—are dependent on information technology systems to carry out operations. The security of these systems and the data they use is vital to public confidence and national security, prosperity, and well-being.

GAO first designated information security as a government-wide high-risk area in 1997. This was expanded to include protecting (1) cyber critical infrastructure in 2003 and (2) the privacy of personally identifiable information in 2015.

In 2018, GAO reported that the federal government needed to address four major cybersecurity challenges: (1) establishing a comprehensive cybersecurity strategy and performing effective oversight, (2) securing federal systems and information, (3) protecting cyber critical infrastructure, and (4) protecting privacy and sensitive data. Within these four challenges are 10 actions critical to successfully dealing with the serious cybersecurity threats facing the nation (see the figure identifying the four challenges and 10 actions).

GAO was asked to testify on the federal government’s efforts to address critical infrastructure cybersecurity. For this testimony, GAO relied on selected products it previously issued.

More from:

News Network

  • Albania National Day
    In Crime Control and Security News
    Michael R. Pompeo, [Read More…]
  • Assistant Secretary for African Affairs Phee’s Travel to Ghana and Burkina Faso
    In Crime Control and Security News
    Office of the [Read More…]
  • Michigan Man Sentenced for COVID-19 Relief Fraud
    In Crime News
    A Michigan man was sentenced today to 32 months in federal prison for fraudulently seeking nearly $1 million in Paycheck Protection Program (PPP) loans guaranteed by the Small Business Administration (SBA) under the Coronavirus Aid, Relief, and Economic Security (CARES) Act.
    [Read More…]
  • Armenia’s Parliamentary Elections
    In Crime Control and Security News
    Ned Price, Department [Read More…]
  • Justice Department Obtains Settlement in Title VI Retaliation Matter with the Florida State Courts System
    In Crime News
    The Justice Department announced a settlement agreement with the Florida State Courts System to resolve a retaliation investigation and finding under Title VI of the Civil Rights Act of 1964.
    [Read More…]
  • Political Donor Sentenced to 12 Years in Prison for Lobbying and Campaign Contribution Crimes, Tax Evasion, and Obstruction of Justice
    In Crime News
    A venture capitalist and political fundraiser was sentenced today to 144 months in federal prison for falsifying records to conceal his work as a foreign agent while lobbying high-level U.S. government officials, evading the payment of millions of dollars in taxes, making illegal campaign contributions, and obstructing a federal investigation into the source of donations to a presidential inauguration committee. Imaad Shah Zuberi, 50, of Arcadia, California, was sentenced by U.S. District Judge Virginia A. Phillips, who also ordered him to pay $15,705,080 in restitution and a criminal fine of $1.75 million.
    [Read More…]
  • Senior State Department Officials Briefing to Traveling Press
    In Crime Control and Security News
    Istanbul, Turkey [Read More…]
  • VA Health Care: Community Living Centers Were Commonly Cited for Infection Control Deficiencies Prior to the COVID-19 Pandemic
    In U.S GAO News
    The Department of Veterans Affairs (VA) is responsible for overseeing the quality of nursing home care provided to residents in VA-owned and -operated community living centers (CLC). VA models its oversight process on the methods used by the Centers for Medicare & Medicaid Services, which uses inspections of nursing homes to determine whether the home meets federal quality standards. These standards require, for example, that CLCs establish and maintain an infection prevention and control program. VA uses a contractor to conduct annual inspections of the CLCs, and these contractors cite CLCs with deficiencies if they are not in compliance with quality standards. Infection prevention and control deficiencies cited by the inspectors can include situations where CLC staff did not regularly use proper hand hygiene or failed to correctly use personal protective equipment. Many of these practices can be critical to preventing the spread of infectious diseases, including COVID-19. GAO analysis of VA data shows that infection prevention and control deficiencies were the most common type of deficiency cited in inspected CLCs, with 95 percent (128 of the 135 CLCs inspected) having an infection prevention and control deficiency cited in 1 or more years from fiscal year 2015 through 2019. GAO also found that over the time period of its review, a significant number of inspected CLCs—62 percent—had infection prevention and control deficiencies cited in consecutive fiscal years, which may indicate persistent problems. An additional 19 percent had such deficiencies cited in multiple, nonconsecutive years. Why GAO Did This Study COVID-19 is a new and highly contagious respiratory disease causing severe illness and death, particularly among the elderly. Because of this, the health and safety of the nation’s nursing home residents—including veterans receiving nursing home care in CLCs—has been a particular concern.  GAO was asked to review the quality of care at CLCs. In this report, GAO describes the prevalence of infection prevention and control deficiencies in CLCs prior to the COVID-19 pandemic. Future GAO reports will examine more broadly the quality of care at CLCs and VA’s response to COVID-19 in the nursing home settings for which VA provides or pays for care. For this report, GAO analyzed VA data on deficiencies cited in CLCs from fiscal years 2015 through 2019. Using these data, GAO determined the most common type of deficiency cited among CLCs, the number of CLCs that had infection prevention and control deficiencies cited, and the number of CLCs with repeated infection prevention and control deficiencies over the period from fiscal years 2015 through 2019. GAO also obtained and reviewed inspection reports and corrective action plans to describe examples of the infection prevention and control deficiencies cited at CLCs and the CLCs’ plans to remedy the noncompliance. For more information, contact Sharon M. Silas at (202) 512-7114 or SilasS@gao.gov.
    [Read More…]
  • Secretary Blinken’s Call with United Nations Secretary-General Guterres
    In Crime Control and Security News
    Ned Price, Department [Read More…]
  • Justice Department Charges More than 14,200 Defendants with Firearms-Related Crimes in FY20
    In Crime News
    Today, the Justice Department announced it has charged more than 14,200 defendants with firearms-related crimes during Fiscal Year (FY) 2020, despite the challenges of COVID-19 and its impact on the criminal justice process.
    [Read More…]
  • The Department of Justice Announces Standards for Certifying Safe Policing Practices by Law Enforcement Agencies
    In Crime News
    Today, the Department of Justice announced Standards for Certification that will be used by credentialing bodies so they can begin certifying thousands of law enforcement agencies over the next three months. The Standards of Certification are a result of President Trump’s June Executive Order 13929, Safe Policing for Safe Communities.
    [Read More…]
  • Secretary Blinken’s Meeting with Republic of Korea Foreign Minister Chung
    In Crime Control and Security News
    Office of the [Read More…]
  • Attorney General Announces Initiatives to Combat Human Smuggling and Trafficking and to Fight Corruption in Central America
    In Crime News
    U.S. Attorney General Merrick B. Garland today announced a series of steps that the Department of Justice is taking to address the threats posed by both corruption and by transnational human smuggling and trafficking networks.
    [Read More…]
  • Special Presidential Envoy for Climate John Kerry and Romanian President Klaus Iohannis Announce Romania’s Intent to Build First-of-a-Kind U.S. Small Modular Reactor to Address the Climate Crisis
    In Climate - Environment - Conservation
    Office of the [Read More…]
  • Secretary Antony J. Blinken to Embassy Iceland Staff and Families
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • Georgia Correctional Officer Pleads Guilty to Civil Rights Offense for Assaulting Inmate
    In Crime News
    A Georgia correctional officer pleaded guilty today to violating the civil rights of an inmate.
    [Read More…]
  • Private Health Coverage: Results of Covert Testing for Selected Offerings
    In U.S GAO News
    GAO performed 31 covert tests to selected sales representatives and stated that we had pre-existing conditions, such as diabetes or heart disease, and we requested coverage for these conditions to see if the sales representative directed GAO's undercover agents to a comprehensive Patient Protection and Affordable Care Act (PPACA)-compliant plan, or a PPACA-exempt plan that does not cover what we requested. As part of these tests, GAO gauged whether sales representatives engaged in potentially deceptive practices, such as making false or misleading statements about coverage or omitting material information about coverage. The results of the covert tests ranged from sales representatives appropriately explaining to GAO's undercover agents that a PPACA-exempt plan would not cover the pre-existing condition the undercover agents stated that they had, to engaging in potentially deceptive marketing practices that misrepresented or omitted information about the products they were selling. Specifically, in 21 of 31 covert tests, the sales representative appropriately referred undercover agents to a PPACA-compliant plan. In two of 31 covert tests, the sales representatives did not appear to engage in deceptive marketing practices but were not always consistent or clear in their explanation of the type of coverage and plans they were selling. In the remaining eight of 31 covert tests, the sales representatives engaged in potentially deceptive marketing practices, such as claiming the pre-existing condition was covered when the health plan documents GAO received after purchase said otherwise. GAO plans to refer these eight cases of potential deceptive marketing practices to the Federal Trade Commission (FTC) and corresponding state insurance commissioners' offices for follow-up as appropriate. Millions of Americans obtain health insurance coverage in the individual market, which consists mainly of private plans sold directly to consumers without access to group coverage. While generally regulated by states, starting in 2014, PPACA established a number of new federal requirements for the individual health insurance market. For example, PPACA prohibited insurers from excluding coverage or charging higher premiums for pre-existing conditions and required that individual market plans cover a set of essential health benefits, including coverage for mental health and substance abuse disorder services, prescription drugs, and maternity and newborn care. Certain types of health coverage arrangements that can be sold directly to consumers do not have to comply with some or all of PPACA's individual market requirements and, as a result, may be less expensive, but also offer more limited benefits compared to PPACA-compliant plans. Recent changes to federal law and regulations could result in the increased use of PPACA-exempt health coverage arrangements as alternatives to PPACA-compliant plans in the individual market. For example, in 2018, federal regulations expanded the availability of short term, limited duration insurance (STLDI) plans, a type of PPACA-exempt arrangement. In addition, starting January 1, 2019, individuals who fail to maintain "minimum essential coverage," as required by PPACA, no longer face a tax penalty. Further, the devastating economic effects of the Coronavirus Disease 2019 (COVID-19) pandemic could create additional demand for affordable health coverage, including PPACA-exempt plans.  With these changes, and because of their lower relative costs, PPACA-exempt health coverage arrangements may be attractive to consumers, particularly those who find it difficult to afford PPACA-compliant plans. However, such arrangements generally do not need to follow PPACA's requirement that plans in the individual market be presented to consumers in defined categories outlining the extent to which they are expected to cover medical care. As a result, depending on how they are marketed and sold, PPACA-exempt arrangements could present risks for consumers, if, for example, they buy them mistakenly believing that coverage is as comprehensive as for PPACA-compliant plans. GAO was asked to obtain insights on the marketing and sales practices of insurance sales representatives who sell PPACA-exempt plans. In this report, GAO describes the results of covert tests we conducted involving selected sales representatives, when contacted by individuals stating that they had pre-existing conditions. In this regard, GAO agents performed a number of covert tests (i.e., undercover phone calls) from November 2019 through January 2020 posing as individuals needing to purchase health insurance to cover pre-existing conditions. GAO also discussed the marketing and oversight of PPACA-exempt arrangements with senior officials from federal agencies, including the FTC, and Centers of Medicare and Medicaid Services (CMS) within the Department of Health and Human Services (HHS), as well as the National Association of Insurance Commissioners (NAIC)5. GAO provided a draft of this product to FTC, HHS, and NAIC for review and comment. FTC, HHS, and NAIC provided technical comments, which GAO incorporated as appropriate. HHS provided additional written comments on a draft of this report. For more information, contact Seto Bagdoyan at (202)-6722 or bagdoyans@gao.gov.
    [Read More…]
  • Peru Travel Advisory
    In Travel
    Do not travel to Peru [Read More…]
  • Rebuilding Iraq: Status of Competition for Iraq Reconstruction Contracts
    In U.S GAO News
    Since 2003, Congress has appropriated more than $20 billion through the Iraq Relief and Reconstruction Fund (IRRF) to support Iraq rebuilding efforts. The majority of these efforts are being carried out through contracts awarded by the Departments of Defense (DOD) and State and the U.S. Agency for International Development (USAID). When awarding IRRF-funded contracts for $5 million or more noncompetitively, agencies are required by statute to provide notification and justification to Congress. In June 2004, GAO found that agencies generally complied with laws and regulations governing competition to award new contracts, but did not always comply with competition requirements when issuing task orders under existing contracts. As mandated by Congress, this report (1) describes the extent of competition in Iraq reconstruction contracts awarded by DOD, USAID, and State since October 1, 2003, based on available data, and (2) assesses whether these agencies followed applicable documentation and congressional notification requirements regarding competition for 51 judgmentally selected Iraq reconstruction contract actions. In written comments, State and USAID concurred with the report findings. DOD provided a technical comment.While no single, comprehensive system currently tracks governmentwide Iraq reconstruction contract data, available data showed that from October 1, 2003, through March 31, 2006, DOD, USAID, and State collectively awarded the majority of Iraq reconstruction contracts competitively. Based on competition information we obtained on $10 billion of the total $11.6 billion in IRRF obligations by these agencies during the period of our review, we found that about $9.1 billion--or 91 percent--was for competitively awarded contracts. While our ability to obtain complete competition data for all DOD Iraq reconstruction contract actions was limited because not all DOD components consistently tracked or fully reported this information, we obtained information on approximately $7 billion, or 82 percent, of DOD's total Iraq reconstruction contract obligations, and of this, we found that competition occurred for nearly all of the obligations. Additionally, based on complete data for the period of our review we found that USAID competitively awarded contract actions for 99 percent of its obligations, while State awarded contract actions competitively for only 10 percent of its obligations. GAO reviewed the files for 51 contract actions totaling $1.55 billion--22 of which were awarded noncompetitively and 29 of which were awarded competitively--almost all of which contained proper documentation. One contract file--for a noncompetitively awarded task order issued by State--did not contain justifications or other required documentation. DOD was also unable to provide documentation for 4 of the competitively awarded contract actions. Of the 22 noncompeted contract actions in GAO's review, State should have notified Congress of 2 actions awarded using other than full and open competition in accordance with notification requirements but did not. State officials told GAO that they have taken steps to address the problem. GAO did not identify any DOD or USAID contract actions within the sample that required notification.
    [Read More…]
  • Combating Terrorism: Department of State Programs to Combat Terrorism Abroad
    In U.S GAO News
    Efforts to combat terrorism have become an increasingly important part of government activities. These efforts have also become important in the United States' relations with other countries and with international organizations, such as the United Nations (U.N.). The Department of State is charged with coordinating these international efforts and protecting Americans abroad. State has helped direct the U.S. efforts to combat terrorism abroad by building the global coalition against terrorism, including providing diplomatic support for military operations in Afghanistan and other countries. State has also supported international law enforcement efforts to identify, arrest, and bring terrorists to justice, as well as performing other activities intended to reduce the number of terrorist attacks. The State Department conducts multifaceted activities in its effort to prevent terrorist attacks on Americans abroad. For Americans traveling and living abroad, State issues public travel warnings and operates warning systems to convey terrorism-related information. For American businesses and universities operating overseas, State uses the Overseas Security Advisory Councils--voluntary partnerships between the State Department and the private sector--to exchange threat information. To disrupt and destroy terrorist organizations abroad, State has numerous programs and activities that rely on military, multilateral, economic, law enforcement, intelligence, and other capabilities. State uses extradition treaties to bring terrorists to trial in the United States and cooperates with foreign intelligence, security, and law enforcement entities to track and capture terrorists in foreign countries. If the United States has no extradition agreements with a country, then State, with the Department of Justice, can work to obtain the arrest of suspected terrorist overseas through renditions. The State Department leads the U.S. response to terrorist incidents abroad. This includes diplomatic measures to protect Americans, minimize damage, terminate terrorist attacks, and bring terrorists to justice. To coordinate the U.S. effort to combat terrorism internationally, State uses a variety of mechanisms to work with the Departments of Defense, Justice, and the Treasury; the intelligence agencies; the Federal Bureau of Investigation; and others. These mechanisms include interagency working groups at the headquarters level in Washington, D.C., emergency action committees at U.S. missions overseas, and liaison exchanges with other government agencies.
    [Read More…]

Crime

Network News © 2005 Area.Control.Network™ All rights reserved.