January 19, 2021

RPC Interview: U.S. Comptroller General Gene Dodaro on the Cybersecurity of the Nation


KEY TAKEAWAYS

  • The Government Accountability Office, headed by the comptroller general, is responsible for helping Congress provide oversight of the federal government and has increasingly recommended steps to increase the country’s cybersecurity.
  • GAO has identified four major cybersecurity challenges facing the nation: (1) establishing and implementing a comprehensive cybersecurity strategy and performing effective oversight, (2) securing federal systems and information, (3) protecting cyber critical infrastructure, and (4) protecting privacy and sensitive data.
  • In December 2020, Congress established the Office of the National Cyber Director within the Executive Office of the President. This is an important step toward providing leadership and coordination for the government’s cybersecurity efforts. 

The federal government and much of our nation’s commercial infrastructure − such as power plants, financial markets, and transportation − depend on information technology systems that are vulnerable to cyberattack.

The Government Accountability Office first designated information security as a government-wide “high-risk” area in 1997. Since 2010, GAO has made more than 3,000 recommendations to federal agencies to address cybersecurity issues. As of September 2020, about 600 had not been fully implemented. The office has warned, “Until these shortcomings are addressed, federal IT systems and data will be increasingly susceptible to cyber threats.” It intends to issue an update on its high-risk list in February.

GAO, which helps Congress meet its constitutional responsibilities of oversight of the executive branch, is led by U.S. Comptroller General Gene Dodaro. He was appointed by President Obama to a 15-year term after being selected from a bipartisan, bicameral list created by Congress. In recent years he has focused on enhancing GAO’s efforts in science, technology, and cybersecurity issues.

Q: What would you say are the top three to five GAO recommendations or items that would have the most measurable impact on improving the cybersecurity of the federal government?

A: In our most recent high risk work, we identified four major cybersecurity challenges facing the nation, as well as 10 critical actions to address them.

First, is establish and implement a comprehensive cybersecurity strategy and perform effective oversight. Meeting this challenge requires developing and executing a comprehensive federal strategy for national cybersecurity and global cyberspace. It also requires the federal government to mitigate global supply chain risks, such as the installation of malicious hardware or software. The U.S. also needs to address cybersecurity workforce management challenges across the government. Finally, it has to ensure the security of emerging technologies such as artificial intelligence and the Internet of Things.

The second major challenge is securing federal agencies’ systems and information. To do this, agencies need to do a better job of implementing government-wide cybersecurity initiatives, address weaknesses in their internal information security programs, and improve their responses to cyber incidents.

The third major challenge is strengthening the federal role in protecting the cybersecurity of critical infrastructure, most of which is owned and operated by the private sector. This means ensuring an effective partnership between the federal government, other levels of government, and private industry.

The fourth and final major challenge we identified is protecting the privacy and sensitive data of both the federal government and the American public. This requires improving federal efforts to protect sensitive data and appropriately limiting the collection and use of personal information by both public and private entities.

GAO has made hundreds of recommendations in these areas over the last several years, and implementing these will help support the critical actions needed to meet the challenges we identified. We will be issuing an update on our high-risk work in the coming months.

For more information see: High-Risk Series: Substantial Efforts Needed to Achieve Greater Progress on High-Risk Areas, GAO-19-157SP (March 2019)

Q: Older, “legacy” IT systems often have high costs, low functionality, and poor cybersecurity. What steps should the government take to prioritize IT modernization?

A: There are several steps the government should take to make sure its IT systems are cost-effective, provide needed functionality, and are secure against cyber threats. This will require action from executive-branch agencies, as well as oversight from the Office of Management and Budget.

First and foremost, agencies need to know which of their legacy systems are obsolete and due for replacement, and they need to make plans for retiring those systems. We reported in 2016 and 2019 that major executive branch agencies hadn’t sufficiently identified obsolete legacy systems, or made plans to retire them. This included, in some cases, critical legacy systems with outdated programming languages, unsupported hardware or software, and known security vulnerabilities. We’ve made a number of recommendations to these agencies to develop such plans, and while some progress has been made, agencies need to do more to develop and follow through on their plans.

OMB also plays an important role here in providing guidance and oversight to agencies. We found that the office has not done enough to set targets for spending on investments in operations and maintenance, and it hasn’t finalized guidance for agencies on identifying, evaluating, and prioritizing these investments. We recommended that OMB take steps to address these gaps, but to date, it has not implemented these recommendations, which would provide needed oversight and accountability for agency efforts to identify obsolete systems and modernize their IT environments.

Finally, the Technology Modernization Fund, established under the Modernizing Government Technology Act, provides new funding to improve, retire, or replace existing federal IT systems. However, we have found that the fund, which is administered by OMB and the General Services Administration, needs improved management and oversight to help it better achieve this goal. This includes developing a plan to fully recover the fund’s operating costs and clarifying that agencies should follow required cost guidance when submitting proposals for project funding.

For more information see: Technology Modernization Fund: OMB and GSA Need to Improve Fee Collection and Clarify Cost Estimating Guidance for Awarded Projects, GAO-20-3 (December 2019)

Q: GAO added privacy of personally identifiable information to the high-risk list in 2015. Should Congress pass a national data privacy law and, if so, are there any items you recommend including or excluding?

A: Yes. In 2013 we recommended that Congress strengthen the current consumer privacy framework to reflect the effects of changes in technology and the marketplace. It is clear that the existing legal framework doesn’t go far enough in protecting the privacy of individuals’ personal information and other sensitive data. For example, the current legal framework doesn’t adequately address newer technologies like online behavior tracking, AI, and the Internet of Things, as well as the vastly expanded market for personal information, including third-party sharing. The current framework also does not adequately address consumers’ right to learn what information is held about them for marketing, who holds it, and their right to control the collection or sharing of sensitive information with third parties. The framework also does not fully adhere to the “fair information practice principles,” which are widely accepted principles for protecting the privacy and security of personal information.

There are also limitations in other existing privacy laws such as the Privacy Act of 1974 and the E-Government Act of 2002. This is because the provisions of these laws may not consistently protect this information during its collection and use throughout the federal government and may not adhere to key privacy principles.

Views differ on the approach that any new privacy legislation or regulation should take. Some privacy advocates favor a comprehensive law to provide greater consistency and address gaps left by the current sector-specific approach. Others worry that a comprehensive, one-size-fits-all approach would be burdensome and inflexible. Industry representatives have asserted that restrictions on the collection and use of personal data would impose compliance costs, inhibit innovation, and reduce consumer benefits. The challenge for crafting new legislation will be providing appropriate privacy protections without unduly inhibiting the benefits to consumers, commerce, and innovation that data sharing can deliver.

For more information see: Consumer Privacy: Changes to Legal Framework Needed to Address Gaps, GAO-19-621T (June 2019)

Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace, GAO-13-663 (September 2013)

Privacy: Federal Law Should Be Updated to Address Changing Technology Landscape, GAO-12-961T (July 2012)

Q: Artificial Intelligence presents a number of cybersecurity opportunities and challenges. How can the 117th Congress and the Biden administration build on the work done by the 116th Congress and the Trump administration to ensure America leads the world in this technology?

A: The use of AI systems is transforming many aspects of life, including drug development, agriculture, advanced manufacturing, autonomous transportation, and national security and defense. But these systems also present risks and challenges to accountability, especially for civil liberties, ethics, and social disparities. Meeting these challenges requires a forward-thinking approach from policymakers.

In the area of cybersecurity, automated systems and advanced algorithms can help cybersecurity professionals in a variety of ways. They can reduce the time and effort it takes to identify and patch vulnerabilities and to detect and defend against attacks. Used appropriately, AI tools can reduce human workload, increase accuracy in the detection of cyber threats, and process large amounts of data in short time spans.

At the same time, AI systems running on computers are vulnerable to similar types of cyber exploits as other IT systems. The use of AI in cybersecurity depends on human intervention for ongoing operation and periodic maintenance, the identification and/or verification of attacks; addressing ethical and legal concerns of how AI uses personal data; addressing AI’s own vulnerability to cyberattacks that attempt to maliciously manipulate the system’s actions; and countering automated or AI-based attacks.

As AI technologies continue to advance at an incredible speed, federal oversight considerations need to evolve alongside them. Both the Trump administration and the 116th Congress took steps in this direction. For example, the Trump administration’s national AI strategy discussed, among other things, the need for additional research and development, including for mitigating cyber risks of certain AI techniques. Also, provisions in recently enacted legislation such as the creation of a government wide National AI Initiative and the AI Center of Excellence, provide avenues for increased focus on the challenges and opportunities presented by AI.

When assessing these technologies, including building on the past work of the Trump administration and the 116th Congress, policymakers should ask: How is the federal government using AI systems? (For example, what data and code are used?) How should AI systems be evaluated? What would evidence-based AI assessment look like? And what does the future hold for AI oversight? We continue to hold discussions with the AI community to explore this technology’s impact on cybersecurity and other issues.

For more information see: Artificial Intelligence in Health Care: Benefits and Challenges of Technologies to Augment Patient Care, GAO-21-7SP (November 2020)

Artificial Intelligence in Health Care: Benefits and Challenges of Machine Learning in Drug Development, GAO-20-215SP (January 2020)

Artificial Intelligence: Emerging Opportunities, Challenges, and Implications for Policy and Research, GAO-18-644T (June 2018)

Technology Assessment: Artificial Intelligence: Emerging Opportunities, Challenges, and Implications, GAO-18-142SP (March 2018)

Q: The executive branch includes a national cyber director, the Cybersecurity and Infrastructure Security Agency, U.S. Cyber Command, and the federal chief information officer. Who is actually in charge of cybersecurity for the executive branch, and can anything be done to streamline this bureaucracy?

A: Given the large number of entities with cybersecurity responsibilities across the executive branch, coordinating and overseeing these efforts continues to be one of the government’s most pressing challenges. In particular, the executive branch needs strong leadership to execute a National Cyber Strategy; and we raised concerns about the elimination of the White House cybersecurity coordinator position in May 2018 because it was not clear who was responsible for providing this leadership.

In this regard, establishing the Office of the National Cyber Director within the Executive Office of the President, as provided for by the fiscal year 2021 National Defense Authorization Act, is an important step in the right direction. Moving forward, it will be especially critical to fill this position and to ensure that the director has the authorities and capabilities necessary to (1) ensure that federal entities are effectively executing their assigned activities intended to support the nation’s cybersecurity strategy and (2) coordinate the government’s efforts to overcome the nation’s cyber-related threats and challenges. This new office’s responsibilities could include identifying opportunities for clarifying and streamlining the bureaucracy.

For more information see: Cybersecurity: Clarity of Leadership Urgently Needed to Fully Implement the National Strategy, GAO-20-629 (September 2020)

Q: We saw the federal government play a critical role in helping states secure and conduct elections during 2020. What can the federal government do to strengthen partnerships in other “critical infrastructure” sectors like the electric grid to help protect against cyberattacks?

A: The protection of critical infrastructure sectors depends on a strong partnership between the federal government and the private sector, as well as state, local, tribal, and territorial governments. The role of the federal government varies somewhat among sectors since, for example, some sectors are more heavily regulated than others. However, sector-specific agencies with critical infrastructure responsibilities need to do more to assist the sectors.

This includes ensuring improvements in planning, guidance, risk assessments, and performance measurement to help the private sector and other government entities identify and mange cyber risks facing critical infrastructure. For example, we recently reported that the Energy Department, as the SSA for the electric grid, had not fully developed a strategy for addressing cybersecurity risks to the grid. We have also reported that SSAs need to do more to facilitate sectors’ adoption of the National Institute of Standards and Technology’s Cybersecurity Framework and to measure any sector-wide improvements resulting from the use of the framework.

For more information see: Critical Infrastructure Protection: Additional Actions Needed to Identify Framework Adoption and Resulting Improvements, GAO-20-299, (February 2020)

Critical Infrastructure Protection: Actions Needed to Address Significant Cybersecurity Risks Facing the Electric Grid, GAO-19-332 (September 2019)

Q: The internet does not recognize international boundaries, and we’ve seen numerous cyberattacks reverberate around the globe. What can Congress and the Biden administration do to establish international norms and rules of cyber conduct?

A: The global aspects of cyberspace present key challenges to U.S. policy, and managing these challenges requires better coordination among federal entities on international cybersecurity issues. Federal entities have varying roles among organizations and efforts with international influence over cyberspace security and governance. For example, the Departments of Commerce, Defense, Homeland Security, Justice, and State, among others, are involved in efforts to develop international standards, formulate cyber defense policy, facilitate overseas investigations and law enforcement, and represent U.S. interests in international forums.

This multiplicity of roles and responsibilities brings with it a critical need for effective coordination. For example, the State Department needs to improve its coordination with other federal entities involved in cyber diplomacy efforts. In particular, six agencies that work with State on cyber diplomacy issues told us that State did not inform or involve them in the development of its plan to establish a new bureau dedicated to aligning cyberspace policy resources with an international security focus. State should involve federal agencies that contribute to cyber diplomacy to obtain their views and identify any risks, such as unnecessary fragmentation, overlap, and duplication of these efforts, as it implements its plan to establish this bureau.

Like several of these other challenge areas, government-wide leadership is essential to coordinating the various disparate efforts across the executive branch for global cyber engagement. Accordingly, expeditiously filling the national cyber director position will be a vital step toward ensuring consistency in the nation’s coordination with other nations on cybersecurity issues.

For more information see: Cyber Diplomacy: State Has Not Involved Relevant Federal Agencies in the Development of Its Plan to Establish the Cyberspace Security and Emerging Technologies Bureau, GAO-20-607R (September 2020)

Cybersecurity: Clarity of Leadership Urgently Needed to Fully Implement the National Strategy, GAO-20-629 (September 2020)

Q: The recent SolarWinds hack is an example of the devastating impact supply-chain attacks can have. These attacks take advantage of the extensive global supply chains many IT products have. A single device might involve dozens of manufacturers in multiple countries before final assembly, each of which is a potential attack point. The same principle applies for software – federal agencies have hundreds of different types and versions of software from third-party vendors in their systems, all of which are potential vulnerabilities. What should government and the private sector do to respond to this attack and better protect supply chain security in the future?

A: Federal agencies responsible for managing cyber risks have noted that the recent attack poses a grave risk to the federal, state, local, tribal, and territorial governments, as well as critical infrastructure entities and other private sector organizations. The complexity and severity of the attack means that the federal government needs to address multiple challenges simultaneously − including executing the federal strategy for national cybersecurity and global cyberspace, enhancing the federal response to cyber incidents, and mitigating global supply chain risks.

Regarding supply chain risks in particular, we recently reported that none of the 23 civilian CFO Act agencies had fully implemented seven selected foundational practices for managing information and communications technology supply chain risks. Those agencies need to address 145 recommendations that we made to fully establish the foundations for effectively managing their supply chain risks.

Further, government-wide efforts are essential to addressing supply-chain risk management across the executive branch. In this regard, the Federal Acquisition Security Council has been developing guidance for managing supply chain risks. Additionally, the National Cyber Strategy implementation plan tasked entities with various risk assessment activities, such as those related to the federal supply chain. These efforts can provide an important complement to agencies’ implementation of foundational supply-chain risk management practices. We expect to carry out additional work in the upcoming months on the recent attack and its implications for the security posture of the federal government.

For more information see: Information Technology: Federal Agencies Need to Take Urgent Action to Manage Supply Chain Risks, GAO-21-171 (December 2020)

Cybersecurity: Clarity of Leadership Urgently Needed to Fully Implement the National Strategy, GAO-20-629  (September 2020)

Q: What can the federal government do to help ensure America leads the world in 5G technology and that federal networks can use this technology without relying on questionable foreign equipment?

A: 5G wireless networks promise to provide significantly greater speeds and higher capacity to accommodate more devices. As with previous generations of mobile wireless technology, the full performance of 5G will be achieved gradually as networks evolve over the next decade, and the benefits it brings will be accompanied by risks that must be identified and managed, including spectrum availability and efficiency, privacy, and cybersecurity. This will require strategic leadership from the White House and consideration of risks and trade-offs by policymakers

In particular, these challenges call for additional research and development and the collection of more policy-relevant information. A better understanding of the challenges posed by 5G and how best to address them can have a positive effect on overall U.S. innovation and competitiveness in 5G.

With respect to cybersecurity in particular, some policy options to consider for 5G are nationwide, coordinated cybersecurity monitoring and the adoption of cybersecurity requirements for 5G networks. These approaches could help establish near real-time awareness of threats and risks and a consistent set of cybersecurity practices. These options have potential drawbacks, however, since carriers may not be comfortable reporting incidents and vulnerabilities, and defining and implementing the cybersecurity requirements would have to be done on an application-specific basis rather than as a one-size-fits-all approach. Additionally, designing a system to certify network components would be costly and would require a centralized entity, be it industry-led or government-led.

Coordinating a response to these challenges, as with other cybersecurity challenges facing the nation, requires executive leadership and the effective execution of a national strategy for cybersecurity. We reported that the White House’s 5G national strategy did not include a risk assessment or complete information on 5G risks, and it did not explicitly discuss estimated costs for achieving individual goals or for implementing the strategy as a whole. We recommended that the White House ensure that the plan to implement the 5G national strategy fully addresses all elements of our six desirable characteristics of a national strategy.

In conjunction with these considerations, practices for IT supply chain risk management can help agencies and other entities identify, assess, and mitigate cyber risks arising from the dependence on global supply chains. These foundational practices would apply to the acquisition of parts and equipment supporting 5G networks as this technology continues to be deployed.

For more information see: 5G Wireless: Capabilities and Challenges for an Evolving Network, GAO-21-26SP (November 2020)

National Security: Additional Actions Needed to Ensure Effectiveness of 5G Strategy, GAO-21-155R (October 2020)

5G Deployment: FCC Needs Comprehensive Strategic Planning to Guide Its Efforts, GAO-20-468 (June 2020)

Information Technology: Federal Agencies Need to Take Urgent Action to Manage Supply Chain Risks, GAO-21-171 (December 2020)

U.S. Comptroller General Gene Dodaro on the Cybersecurity of the Nation

U.S. Comptroller General Gene L. Dodaro

Gene L. Dodaro became the eighth comptroller general of the United States on December 22, 2010, when he was confirmed by the Senate. He had been serving as acting comptroller general since March of 2008. Mr. Dodaro has testified before Congress on important national issues, including the nation's response to the coronavirus pandemic, efforts to reduce and eliminate overlap and duplication across the federal government, and GAO’s “high-risk list” that focuses on specific challenges from reducing improper payments under Medicare and Medicaid to improving the Pentagon's business practices.

Issue Tag: Technology