February 15, 2017–The Government Accountability Office said today that cybersecurity of federal government networks and systems that support critical infrastructure, along with protection of the privacy of personally identifiable information (PII) that is collected and shared by federal government and other entities, remain on the agency’s “high risk” list for 2017. In its latest biennial update to the high-risk list issued today, GAO listed federal cybersecurity and PII protection among a total of 32 areas that are characterized as “government programs with greater vulnerabilities to fraud, waste, abuse, and mismanagement or the need for transformation to address economy, efficiency, or effectiveness challenges.”
For all of those areas, GAO recommends “perseverance” by the executive branch implementing solutions recommended by GAO, and continued oversight and action by Congress. Neither the federal cybersecurity nor the PII protection issues are new to the GAO list; the security of federal cyber assets first appeared on the GAO list in 1997, the protection of critical cyber infrastructure was included in in 2003, and PII protection debuted on the list in 2015.
GAO said in the latest report that it has made about 2,500 recommendations over the last several years aimed at improving the security of federal systems and information, and that as of October 2016 about 1,000 of those recommendations had not been implemented. It said that improving security of federal systems and information, and protection of critical cyber infrastructure, continue to need “substantive attention.”
“These recommendations identified actions for agencies to take to strengthen technical security controls over their computer networks and systems,” GAO said, adding, “They also include recommendations for agencies to fully implement aspects of their information security programs, as mandated by the Federal Information Security Modernization Act (FISMA) of 2014 and its predecessor, the Federal Information Security Management Act of 2002, and to protect the privacy of PII held on their systems. However, many agencies continue to be challenged in safeguarding their information systems and information, in part because many of these recommendations have not been implemented.”
“Risks to cyber assets can originate from unintentional and intentional threats,” GAO said. “These include insider threats from disaffected or careless employees and business partners, escalating and emerging threats from around the globe, the steady advances in the sophistication of attack technology, and the emergence of new and more destructive attacks. Ineffectively protecting cyber assets can facilitate security incidents and cyberattacks that disrupt critical operations; lead to inappropriate access to and disclosure, modification, or destruction of sensitive information; and threaten national security, economic well-being, and public health and safety.”
“Regarding PII, advancements in technology, such as new search technology and data analytics software for searching and collecting information, have made it easier for individuals and organizations to correlate data and track it across large and numerous databases,” GAO said.
“In addition, lower data storage costs have made it less expensive to store vast amounts of data,” it said. “Also, ubiquitous Internet and cellular connectivity makes it easier to track individuals by allowing easy access to information pinpointing their locations. These advances—combined with the increasing sophistication of hackers and others with malicious intent, and the extent to which both federal agencies and private companies collect sensitive information about individuals—have increased the risk of PII being exposed and compromised.”
GAO noted that critical infrastructure encompasses a wide range of industries including communications, information technology, chemical, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, health care and public health, nuclear reactors, materials and waste, transportation systems, and water and wastewater systems.
It also defined PII as “any information that can be used to distinguish or trace an individual’s identity, such as name, date and place of birth, Social Security number, or other types of personal information that can be linked to an individual, such as medical, educational, financial, and employment information.” – John Curran, email@example.com