After studying the SolarWinds and Microsoft Exchange attacks for the past year, the Government Accountability Organization (GAO) detailed the lessons agencies learned and ten critical actions still needed to address major cybersecurity challenges in a new report.
The report also detailed concerning findings, such as even though the Cybersecurity and Infrastructure Security Agency’s (CISA) work has given agencies “a degree of confidence that the threat actor is no longer present,” there is a concern that threat actors have embedded undiscovered access.
“More than a year after the discovery of the devastating SolarWinds attack, in which the Russian government was able to gain network access to nine Federal agencies, it’s clear that there are still significant gaps in the Federal government’s ability to respond to advanced cyberattacks,” Rep. Carolyn Maloney, D-N.Y., chair of the House Committee on Oversight and Reform said in a statement.
“It’s troubling that the Federal government was still working to remove cyberattackers from agencies’ networks six months after the attack was discovered, and I am alarmed to hear that cyberattackers may still have as-yet-undiscovered access to Federal networks,” she added.
GAO said implementation of President Biden’s executive order will help speed efforts of evidence collecting and data sharing, but noted that there are still critical actions needed to address the establishment of a comprehensive cybersecurity strategy and performing effective oversight; secure Federal systems and information; protect critical cyber infrastructure; and protect privacy and sensitive data.
Additionally, six agencies did not have enough information and data to ascertain what happened on their networks, according to the report.
To help establish a comprehensive cybersecurity strategy and perform more effective oversight, GAO suggests:
- Developing a more comprehensive Federal strategy for both national security and global cyberspace;
- Mitigating global supply chain risks;
- Addressing the cyber workforce shortfall and other cyber workforce challenges; and
- Ensuring that security is built into emerging technologies like Internet of Things devices and AI.
To better secure Federal systems and information GAO recommends:
- Improving the implementation of government-wide cyber initiatives like President Biden’s cyber executive order;
- Addressing weaknesses in Federal information security programs; and
- Enhancing the Federal response to cyber events.
The report also recommends strengthening the Federal role in protecting critical infrastructure, improving Federal efforts to protect privacy and sensitive data, and “appropriately limit the collection and use of personal information and ensure that it is obtained with appropriate knowledge or consent.”
After receiving the report, Rep. Maloney amplified her calls for an update to the Federal Information Security Management Act (FISMA). Her committee held a hearing on Jan. 11 on draft legislation of a FISMA reform bill, which has bipartisan support in the chamber.
“The Federal government continues to be a top target for nation-state adversaries, and the report released [Jan. 13] underscores the urgent need for Congress to update and strengthen the Federal Information Security Management Act, or FISMA,” Maloney concluded.