In a study conducted to update its identification of information security risk areas, the Government Accountability Office ("GAO") identified four primary cybersecurity challenges and ten corresponding actions that the federal government and other entities must undertake to address them.
The four challenges are (i) establishing a comprehensive cybersecurity strategy and performing effective oversight, (ii) strengthening federal systems and information, (iii) safeguarding cyber critical infrastructure, and (iv) protecting privacy and sensitive data.
The four actions needed to address the first challenge are:
- developing a more exhaustive federal strategy for national cybersecurity;
- mitigating global supply chain risks;
- addressing cybersecurity workforce management challenges (since the federal government faces challenges with respect to ensuring that the nation's cybersecurity workforce has the necessary skills); and
- ensuring the security of emerging technologies (such as artificial intelligence and the Internet of Things).
The three actions outlined to deal with the second challenge are:
- improving the implementation of government-wide cybersecurity initiatives;
- addressing weaknesses in federal agency information security programs; and
- bolstering the federal response to cyber incidents.
To confront the third challenge, the GAO identified the need for a more robust federal role in protecting the cybersecurity of critical infrastructure (such as electricity grids and telecommunications networks).
With regard to tackling the fourth challenge, the GAO called for improving federal efforts to protect privacy and sensitive data, limiting the collection and use of personal information, and ensuring that personal information is obtained with appropriate knowledge or consent.
Since 2010, the GAO has made over 3,000 recommendations to federal agencies that relate to mitigating cybersecurity weaknesses. As of July 2018, approximately 1,000 recommendations still need to be implemented.
Commentary / Joseph V. Moreno
While the GAO study focuses on vulnerabilities and resource shortcomings relating to federal agencies, most of these same concerns apply equally to financial institutions and others in the private sector. The handling of vast quantities of personally identifiable information (PII), such as name, date of birth, and identification number, make nearly any enterprise a potential target for cybercriminals and hostile foreign nations. Proper cyber hygiene such as installing software patches, requiring strong passwords and encryption, and training users on how to avoid cyberattacks are a bare minimum. Enterprises must obtain buy-in from the board and senior management consisting of both leadership commitment and the technological and staffing resources to back it up. Systems must be monitored in real time both for known threats and to identify new ones, and should be audited after the fact to constantly assess for weaknesses. And, perhaps most critically, a data breach action plan must be ready for implementation to address both the technical and the legal fallout if the worst does happen. Much can be learned by the private sector from the cybersecurity stumbles and missteps that have already befallen the federal government.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
