The preponderance of legacy systems in the Federal government poses a major obstacle to improved agency cybersecurity practices, according to Gene Dodaro, Comptroller General of the United States and head of the Government Accountability Office.
“There’s a lot of legacy systems, old systems where they just can’t keep up with patching things,” Dodaro said. “Despite the breaches that have occurred most recently, there’s more attention being given to this area but not enough.”
Dodaro testified Wednesday at a House Oversight and Government Reform Committee hearing on the Government Accountability Office’s 2017 High Risk Report, which included issues of both cybersecurity and IT modernization.
Rep. Robin Kelly, D-Ill., said that legislation such as the Modernizing Government Technology Act (MGT) offers the opportunity to acquire newer government systems with cybersecurity best practices already built in. The original sponsor of the bill, Rep. Will Hurd, R-Texas, told MeriTalk in January that he intends to reintroduce the bill in the current Congress.
In his opening statement, Rep. Gerry Connolly, D-Va., wrote that initiatives to modernize government technology systems should be paid particular attention, adding that “we are entering a critical period in the long-running saga of Federal IT reform.”
The executive branch has also recognized the important relationship between IT modernization and cybersecurity practices, with drafts of an anticipated cybersecurity executive order directing agency heads to plan for a major modernization effort as a part of improving the government’s cybersecurity capabilities.
According to Dodaro, these cybersecurity issues have been in the GAO crosshairs for the past 20 years, as the 1997 GAO High Risk Report was the first to include recommendations for governmentwide information security practices.
“I’ve been very concerned about the pace of agencies implementing our recommendations in this area,” said Dodaro. “Protecting our information systems from cyberattacks and our critical infrastructure throughout the United States is important. We first put cybersecurity across the Federal government on the High Risk List in 1997. So that’s the 20th anniversary of us bringing this issue up and there’s still a lot that has to be done.”
This year’s report listed Federal cybersecurity as a high-risk area in need of significant attention, noting that agencies must still take action on 1,000 remaining GAO recommendations.
Of the five criteria set for improving cybersecurity in the 2015 list, the government has fully met the leadership commitment criteria, and partially met the other four: capacity, action plan, monitoring, and demonstrated progress.
“It’s been a concern, it’s been an issue for 20 years, and it’s not a static environment,” Gregory Wilshusen, director of Information Security Issues at GAO, told MeriTalk. “One of the issues with cybersecurity is even though agencies are making progress and there’s new initiatives that are being put into place to help improve security, this is one of those areas where the goalposts change. There’s new threats, there’s new systems, new technologies, and vulnerabilities, so that means that we have to continue to be on guard to take actions to address those risks.”
Kelly also stressed the importance of acquiring and effectively instituting Continuous Diagnostics and Mitigation (CDM) systems as a part of best cybersecurity practices.
“Agencies generally do not do a very good job of configuring their systems in accordance with sound cybersecurity principles,” Wilshusen testified. “We believe that CDM is a tool that can help agencies better secure their systems by looking into the configuration of those systems, making sure they’re in compliance with agency standards, identifying vulnerabilities, and even just to identify devices on their networks.”
Wilshusen told MeriTalk that GAO already has an engagement this year to look at implementation of CDM throughout the government.
“That’s what we will be looking at to see how well agencies are actually using that capability,” Wilshusen said.