US government agencies have been slow to implement recommended cybersecurity measures, which is increasing the risk to national security, critical infrastructure, the US economy, and US citizens’ personal information. This is according to a sweeping report issued by the watchdog Government Accountability Office (GAO) in June.
Federal agencies have failed to implement approximately one-third of the 1,600 cybersecurity recommendations that the GAO has made since 2010. The report also noted that 15 of the 23 civilian agencies it examined had ineffective information security programs.
“There’s a large amount of personal information that [federal agencies] protect and it’s really [about] policies and procedures around how to protect that,” according to Marisol Cruz Cain, the director of GAO’s information technology and cybersecurity team.
One of the principal shortcomings cited in the report is federal agencies’ failure to implement systems that can even detect unauthorized intrusions and track cybersecurity incidents. Of the 23 agencies the GAO analyzed, 20 did not have these capabilities despite earlier GAO recommendations to implement them.
“Until these recommendations are fully implemented, the federal government will be hindered in ensuring the security of federal systems and critical infrastructure and the privacy of sensitive data. This increases the risk that the nation will be unprepared to respond to the cyber threats that can cause serious damage to public safety, national security, the environment, and economic well-being,” the GAO report stated.
Some of the hurdles agencies face in implementing greater cybersecurity include competing priorities, inadequate information sharing with the Cybersecurity and Infrastructure Security Agency (CISA), and lack of funding.
For example, the GAO noted that the Internal Revenue Service (IRS), which has been struggling with funding shortfalls for the last several years, still has not established a comprehensive inventory of the IT systems that process and store taxpayer information. This makes it more difficult for the IRS to safeguard the data of the more than 260 million individual and business taxpayers in the US.