Nearly 60% of 335 cybersecurity recommendations the General Accounting Office has made for federal agencies since 2010 have not been implemented. Effective oversight must be implemented.




blog 8 gao article image

Synopsys

See if you can guess when this was written:

“When the government purchases products or services with inadequate in-built cybersecurity, the risks persist throughout the lifespan of the item purchased. The lasting effect of inadequate cybersecurity in acquired items is part of what makes acquisition reform so important to achieving cybersecurity and resiliency.”

“Purchasing products and services that have appropriate cybersecurity designed and built-in may have a higher up-front cost in some cases, but doing so reduces total cost of ownership …”

It sounds like it could easily have come from President Biden’s May 2021 Executive Order on Improving the Nation’s Cybersecurity. Or perhaps his much more recent National Cybersecurity Strategy released just two months ago. Both documents call for acquisition reform—using the federal government’s purchasing power to force improvements in the security of software products, especially those used in critical infrastructure.

But no. Those declarations were from nearly a decade ago during the Obama presidency—they are the opening lines of a November 2013 report by the Department of Defense and the General Services Administration titled Improving Cybersecurity and Resilience through Acquisition.

That raises an obvious question: Why does the Biden administration still need to call for acquisition reform?

The answer is also obvious: Because it hasn’t happened yet. This could help explain several recent reports from the federal General Accounting Office (GAO) noting that nearly 60% of 335 cybersecurity recommendations it has made for federal agencies since 2010 have not been implemented.

It actually goes well beyond that. Marisol Cruz Cain director with the GAO’s Information Technology and Cybersecurity Team, said that “since 2010, we have made more than 4,000 recommendations to agencies aimed at addressing cybersecurity challenges facing the government. More than 670 of these recommendations have been made since the last high-risk update in 2021. As of February 2023, more than 850 recommendations had not been fully implemented, including 52 of 133 priority recommendations.”

In the specific area of supply chain risk management (SCRM), which acquisition reform would address, the GAO reported that of 23 agencies reviewed in 2020, none had fully implemented all seven “foundational practices” of SCRM and 14 had implemented none of them. 

Those practices include:

  • Establish a process to conduct a SCRM review of a potential supplier.
  • Establish executive oversight of Information and Communications Technology (ICT) SCRM activities.
  • Identify and document agency ICT supply chains.
  • Develop organizational procedures to defeat counterfeit and compromised ICT products prior to deployment.
  • Develop an agency-wide ICT SCRM strategy.
  • Develop organizational ICT SCRM requirements for suppliers.
  • Establish a process to conduct agency-wide assessments of ICT supply chain risks.

It’s a stark illustration of the gulf between aspiration and reality. Government entities ranging from agency watchdogs like the GAO to presidents can issue exhortations, recommendations—even orders—but that doesn’t guarantee they’ll get done, even if they really need to get done, and better cybersecurity falls into that category. Presidents and members of Congress come and go, after all, while the bureaucracy is about as close as it gets on Earth to eternal life.

Still, it’s ironic that while there is bipartisan support in Congress, at least in theory, for improving cybersecurity, a lot of the details aren’t getting done.

Why? Because when it comes to incentives, there’s not much of a carrot (budget) or a stick (consequences).

Cain said most GAO recommendations are addressed to executive branch agencies, which then have the primary responsibility for implementing them. She added that most of those agencies agree with the recommendations and that “Congress frequently holds hearings to oversee agencies’ progress in implementing our recommendations—particularly where Congress is not satisfied with progress toward implementing them.”

But ultimately, she said, “There are no consequences for failure to implement a GAO recommendation.”

And when there are no consequences, recommendations logically become a lower priority.

Emile Monette, director of government contracts and value chain security with Synopsys, knows all about inertia within government, even on problems that need to be addressed aggressively—he is a co-author of that 2013 report cited above.

“Most often the agencies are not provided with an additional budget to implement the recommendations, so there are tough internal choices to make about which thing to stop doing so you can do the things the GAO recommended,” he said, adding that the recently released Biden strategy document “doesn’t include resources or measures of effectiveness as the GAO recommends.”

Monette said Congress has the power at least to apply pressure on agencies that fail to implement GAO recommendations.

“When the GAO reports back to the congressional sponsors that the agencies aren’t complying with recommendations, the members have two options, which are the two things Congress can do other than legislate—reduce or add to a budget and conduct oversight hearings,” he said.

But political longevity is a factor in that as well. Agency heads are political appointees, not career civil servants, so are rarely around for more than a few years. And members of Congress are forever in campaign mode, so they also want to focus on problems that can be resolved quickly.

Whatever the reasons, the failure of any comprehensive response to the GAO recommendations puts the nation at risk of what Monette calls “all the same bad things we talk about all the time—zero-days, unmitigated known vulnerabilities, poor code quality, mismanagement of FOSS [free and open source software], counterfeits, etc.”

Or as Cain put it, “All these recommendations are important and it’s critical that agencies work to implement them. They represent vulnerabilities that could be exploited to carry out devastating cyberattacks.”

She said those could include disruption of critical systems, theft of sensitive information, and threats to economic and national security. “We’ve seen examples of these threats in the SolarWinds hack in late 2020, the Colonial Pipeline shutdown in 2021,” she said. Not to mention the catastrophic breach of the federal Office of Personnel Management in 2015 that compromised the personal information of more than 22 million current and former federal employees.

The only way to move the needle, Monette said, would be for Congress to get more aggressive. But that, he said, is unlikely. The only consequences, he said, tend to be “just the tongue-lashing, sound-bite punishment of agency political appointees by members of Congress. Rarely does anyone lose their job or get subjected to any other punitive actions.”

Don Davidson, director of cyber SCRM programs at Synopsys and also a co-author of the 2013 report, is also familiar with good intentions ending up on the shelf.

There does appear to be some EO & GAO deja vu here,” he said. “Same findings and recommendations—repeat with little or no corrective action—looks like a leadership challenge to put your money where your mouth is.”

To learn more about Synopsys, visit us here.

Copyright © 2023 IDG Communications, Inc.