Cyber strategy short on specifics and metrics, says GAO

The Trump administration's national cybersecurity strategy is a good start but more accountability is needed, the head of the Government Accountability Office told two congressional panels on March 6.

Comptroller General Gene Dodaro was on Capitol Hill to present the biennial High Risk List of 35 areas in the federal government vulnerable to fraud, waste, abuse or mismanagement.

Cybersecurity across the federal government, remains a critical concern, even with the administration's National Cyber Strategy released last September. The security of critical infrastructure is also an issue.

"I give the administration credit for its cybersecurity plan, but there is no implementation plan, definition of responsibilities, or metrics," Dodaro said during the Senate hearing.

"There's not enough of a sense of urgency to correct [cybersecurity] problems at agencies or across government," he told the Senate panel. He singled out the elimination of the White House cybersecurity coordinator post at the National Security Council as an area of concern.

Dodaro told the afternoon House panel that GAO sees the same "material weaknesses" in federal agency IT systems "year after year." He attributed some of that vulnerability to the "millstone" legacy systems agencies must deal with.

Dodaro's report recommends a "comprehensive, national and global cybersecurity plan" that incorporates processes into the strategy such as supply chain protections and cyber workforce development.

The report also recommends agencies fix nagging known cyber vulnerabilities.

"We've made 3,000 recommendations [to agencies to fix known cyber vulnerabilities] since 2010," he said. "Seven hundred of those are still not implemented."

The report also recommends tighter standards for private sector critical infrastructure cybersecurity. "Most standards" for critical infrastructure cybersecurity, Dodaro said, "are voluntary."

"We don't know how secure the private sector is," he said.

Dodaro didn't think that an independent federal cybersecurity inspector general -- as proposed by some lawmakers -- was necessary.

"We're talking to the National Security Council, OMB and the White House" about putting more detail to the cybersecurity strategy, he told reporters.

In an interview after the Senate hearing, committee member Sen. James Lankford (R-Okla.) told FCW he didn't find GAO's cybersecurity recommendations surprising.

"It's an ongoing issue of who has the ball," Lankford said. "The problem is everyone has the ball."