GAO Finds Nation-State Actors Remain Greatest Cybersecurity Threat to Federal ‘High-Impact’ Systems

WASHINGTON On Tuesday, the Government Accountability Office made public a new report examining the security controls of high-impact information systems.  The audit revealed that the 18 federal agencies that have high-impact systems — those that hold sensitive information which if lost or stolen could cause the nation or individuals serious harm — identify foreign nations as the most serious and frequently occurring threat. 

The auditors found that key federal agencies responsible for sensitive systems, including the National Aeronautics and Space Administration, the Office of Personnel Management, the Department of Veterans Affairs, and the Nuclear Regulatory Commission, had not taken all necessary security precautions to protect system controls or to address weaknesses such as patching known software vulnerabilities.  As a result, GAO warned, the sensitive data maintained on these systems remains vulnerable. Sen. Ron Johnson (R-Wis.), chairman of the Senate Homeland Security and Governmental Affairs Committee, Ranking Member Tom Carper (D-Del.) and Sen. Susan Collins (R-Maine), chairman of the Special Committee on Aging, had this to say regarding the GAO report produced at their request:

“Foreign nations continue to work to penetrate federal networks and information systems to access our government’s sensitive information,” said Johnson.  “As we saw with last year’s data breach of the Office of Personnel Management’s security clearance files, which affected 21 million people, poor federal cybersecurity can put the nation and its citizens at risk.  I remain concerned that federal agencies are not fulfilling their responsibilities under the law to secure federal information systems. Our committee is asking agencies to respond to these findings and will monitor progress to ensure that federal agencies follow the law and take adequate precautions to protect sensitive information.”  

“Our high-impact systems contain sensitive information that we cannot afford to have breached by outside groups. To protect these critical networks from constantly evolving threats, we must ensure that we continue addressing vulnerabilities and building resiliency into our policies and practices,” said Carper. “Today’s report shows that we have more to do to secure our systems because, while our defenses are getting stronger, these attacks are getting more sophisticated. While agencies have a responsibility to improve their cybersecurity measures, Congress also has an obligation to ensure that agencies have the funding, the tools, and the authority they need to adequately protect their systems.”

“The cyberattack at OPM last year was a glaring exposure of the current vulnerabilities in our federal computer system.  It is vital that the U.S. government take substantial steps to protect the sensitive information stored within its high-impact systems. GAO’s report details key improvements that must be immediately implemented by the four agencies covered in this report, including OPM. The work done by GAO helps to ensure that all our federal networks and databases are properly protected and secured,” said Collins.

In December, President Obama signed into law federal cybersecurity legislation that included legislation drafted by Chairman Johnson and Ranking Member Carper to enhance federal cybersecurity protections. The bipartisan Federal Cybersecurity Enhancement Act of 2015 mandates the deployment of cybersecurity best practices at agencies — measures such as intrusion assessments, strong authentication, encryption of sensitive data and appropriate access controls. The bill also authorizes EINSTEIN, an intrusion detection and prevention system intended to screen federal agencies’ Internet traffic for potential cyber threats.

Click here for the GAO report.