Cyber Security Failures Increasing Global Risk, Says GAO

In their annual report for 2018, the US Government Accountability Office (GAO) has released several key findings covering the implementation of cyber security program across the US government, and the news is not positive. Delivered this past week, the report stresses the need for agencies to implement the Accountability Office’s recommendations, or face weakened operations and inadequate cyber-defenses.

See also: Cyber Security Challenges, Focuses 2019.

The US federal government invested in excess of $96 billion into its cyber defense strategies, yet very little of this expenditure contributed to achieving mission-related outcomes. The Office of Management & Budget has received over 1,200 IT recommendations from the GAO since 2010, and other federal agencies have received over 3,000 security suggestions. Most of these recommendations were met with agreement, but the GAO is still monitoring their implementation.

Key findings

Of the 3,000 security recommendations made over the past eight years, 73 per cent have been implemented – and of the 1,200 IT solutions only 59 per cent have been completed. As such, the US faces a few more years of improvements, focussing on certain key areas:

1. The consolidation of data centers

In 2010, an initiative was launched to reduce the overall number of data centers in the US – comprising 160 recommendations for scaling-back and optimizing processes. However, 47 are still unaddressed – and the $4.5 billion worth of cost savings is set to grow yet further. Additional work is set to continue for a few years, yet.

2. Improving federal IT security

Of the 3,000 security recommendations, 688 are yet to be completed. This means that many facets of federal information technology are still lacking the cyber capabilities, personal data protection, and security programs required for strong IT networks. Federal IT systems are getting stronger, but it seems that there are still significant areas for development.

3. Software licensing

There is a global issue with over-purchasing of licences in large enterprises, resulting in expensive unused software. 27 of 135 recommendations are yet to be fully implemented, meaning that the US government is still wasting money on duplicate programs.

4. Chief Information Officer roles

Recent legal changes have altered the position of the CIO and set out 35 key responsibilities that must be carried out – bolstered by a further 27 from the GAO. However, not a single agency was found to be fully addressing the role of the CIO. This has far-reaching implications for a number of organizations, as the responsibility for a number of high-level decisions is being lost within many organizations with a complex managerial structure.

5. Contracts for IT

Most CIOs are failing to become involved in M&A activity – with the GAO estimating that in the US alone, billions of dollars’ worth of IT contracts are being signed without direct involvement of the CIO.

Future outlook

In addition to the concerns raised by the Government Accountability Office, the US Defense Department has highlighted the risk posed to the US by basic security lapses. Released on Friday, the Defense Department report summarizes findings that suggest unencrypted storage devices and poor security around physical assets and servers are the main culprits. With so much work yet to do in IT security across the US, combined with the defence implications of a lack of encryption, monitoring, and locks around critical infrastructure – the risk from malign parties is great.

You might be interested in: The 2018 Global Password Security Report.

Without widespread implementation of basic security requirements such as multifactor authentication, intrusion detection, secure servers, and physical security points at high-risk sites, the US system will remain vulnerable. With significant progress made since 2010, and the majority of recommendations already complete, the journey to a cyber-secure US is well underway. However, with some weaknesses yet to be rectified having been flagged as early as 1990 – it is more than just a numbers game. If the few gaps in the system are critically important, then the US may be further behind than anyone would like to admit.