A report from the Government Accountability Office (GAO) highlighted an urgent need to address critical cybersecurity challenges facing the nation.

The latest installment in the GAO’s “High Risk Series” noted that despite the implementation of 1,043 out of 1,610 recommendations made since 2010, 567 remain unaddressed.

The report also highlighted the escalating frequency and sophistication of cybersecurity incidents, which pose increasing risks to essential technology systems and national security.

Federal agencies reported more than 30,000 information security incidents to the Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) in fiscal year 2022.

The report warns that such attacks could result in significant harm to human safety, national security, the environment and the economy.

The GAO identified major challenges, including the need for a robust national cybersecurity strategy, securing federal systems, protecting critical infrastructure and safeguarding privacy and sensitive data.

Critical Actions

To counter these risks, the GAO recommends ten critical actions, such as developing a comprehensive federal strategy, mitigating global supply chain risks, addressing cybersecurity workforce challenges and enhancing the security of emerging technologies.

The report warned until these recommendations are fully implemented, federal agencies will struggle to provide effective oversight, ensure the security of critical infrastructure and protect sensitive data.

Malachi Walker, security advisor at DomainTools, said to combat the increasing risks to the nation’s technology and address the unimplemented GAO recommendations, the most critical actions that should be prioritized are the ones that will proactively reduce vulnerabilities.

“These actions include updating outdated legacy systems and limiting connections from the protected environment to unknown infrastructure,” he said.

He noted effective oversight over government-wide cybersecurity initiatives is difficult due to a large and growing attack service and a limitation of government employees who specialize in cybersecurity.

According to a recent cybersecurity workforce study by the International Information System Security Certification Consortium (ISC2), there is a total workforce shortage of four million cybersecurity professionals.

“This gap accounts not just for federal agencies but for the companies that work with them, making addressing necessary government-wide cybersecurity initiatives extremely difficult,” Walker said.

He added these challenges can be mitigated by allocating a budget with each new initiative to help support the facilitation of talent or the agency’s ability to bring in a company that will support the agency’s efforts in meeting these initiatives.

“Strategies need to be set in place to continue to regulate and invest in the cybersecurity protection for areas of critical infrastructure,” Walker said.

Daniel Wilbricht, president at Optiv and ClearShark explained to improve the federal response to cyber incidents, several measures can be implemented.

“These include the establishment of a central authority or the strengthening of existing ones like CISA to coordinate responses across federal agencies,” he said.

Developing and implementing standardized incident response protocols and procedures to ensure a consistent and effective approach and fostering improved information sharing between federal agencies, private sector partners and international allies are additional critical measures.

“A comprehensive federal cybersecurity strategy should include conducting regular risk assessments and developing risk management strategies tailored to evolving cyber threats,” Wilbricht added.

From the perspective of Ken Dunham, cyber threat director at Qualys Threat Research Unit, strategy and plans with achievable accountability and timelines, coupled with a security roadmap for maturing hygiene over time, are required for an effective federal response to cyber threats.

“Priorities specific to each organization must be put in place to quickly address areas of highest risk, while reducing risk over the long term,” he said.

He noted in 2024, it’s “easy to get buried” in more than 1,600 GAO recommendations reported, along with diversified technologies and the rate of change taking place, all the while struggling with “block and tackle” cyber hygiene in day-to-day operations.

“Priorities to protect critical assets, with visibility — the ability to know what you don’t know, so you have assurances that you can detect and lower dwell time of an attacker inside of your network — is essential,” he said.