Posted by Taylor Armerding on January 10, 2019
The September GAO cybersecurity report stated that there are about 1,000 outstanding recommendations for automotive, military, and IoT security, among others.
The original version of this post was published in Forbes.
The U.S. government has gotten pretty good, or at least pretty productive, over the past couple of decades at laying out, in multiple reports, plans, strategies and initiatives under multiple presidents, what needs to be done to improve the nation’s cybersecurity—including the latest from just a month ago called a “Cybersecurity Moonshot.”
But actually getting it done? Based on findings of the U.S. Government Accountability Office (GAO) this past fall, not so much.
According to a report titled “Urgent Actions Are Needed to Address Cybersecurity Challenges Facing the Nation,” delivered to Congress this past September, of more than 3,000 GAO recommendations to federal agencies since 2010, aimed at addressing cybersecurity shortcomings, about 1,000 of them have not been implemented.
It might be tempting to declare that this means the glass is two-thirds full. But in a world where the brutal reality is that cyber attackers need to be right only once to succeed while defenders need to be right all the time, a glass that is one-third empty amounts to a gaping security hole.
And as you might expect, the risks of not fixing those vulnerabilities are significant. In a guest post for The Hill, Gene L. Dodaro, U.S. comptroller general and head of the GAO, wrote that a partial list of those risks includes major blackouts, a takedown of electronic communications, bank account takeovers, identity theft and a stock market collapse that, obviously, would put the overall economy into a tailspin. In a word, catastrophic.
Not to mention that departments and agencies have had close to a decade to address many of them.
And when it comes to one of 10 “action items” in the report titled “Ensure security of emerging technologies”—the Internet of Things (IoT), artificial intelligence (AI) and cryptocurrency/blockchain—the numbers are very small, but equally troubling. The GAO has made only three recommendations specifically focused on emerging technologies, and while there has been some agreement and activity on them from the responsible agencies, none has been completed, including one that the GAO said “warrants priority attention from heads of key departments and agencies.”
Why only three recommendations for a sector that includes the IoT, easily the broadest attack surface for hackers?
Nick Marinos, director of cybersecurity and data promotion issues at GAO, said the number of recommendations does not reflect “the amount of work that GAO has done to raise concerns regarding the cybersecurity of emerging technologies.”
He said many recommendations in the other nine action areas have connections to emerging technologies.
“For example, we have ongoing reviews looking at supply chain cybersecurity issues as well as the impact of 5G on the government and nation,” he said. “These have relevance to securing emerging technology area along with other topics.”
And he said he expects the number of recommendations focused on emerging technologies “will increase quite substantially in the coming years.”
Automotive security is a priority
For now, the single priority recommendation, which goes back nearly three years, to March 2016, focused on vehicle security. It called for the Department of Transportation (DOT) to “direct the National Highway Traffic Safety Administration (NHTSA) to work expeditiously to finish defining and then to document the agency’s roles and responsibilities in response to a vehicle cyberattack involving safety-critical systems.”
The response from the DOT later that month, agreed with the recommendation and cited a number of things the agency was doing, including “research opportunities,” convening a roundtable meeting with automotive stakeholders and reaching a “historic agreement” with 18 automakers on “proactive safety principles.”
All of which could be boiled down to, “we’re working on it.”
But not finished with it. The current “status” of the recommendation said that by February 2018 (almost two years later), the DOT had “outlined NHTSA’s roles and responsibilities to address cybersecurity incidents that involve automotive safety critical systems under its existing processes and authorities, but continues to examine whether these processes will need to be updated.”
“In addition, NHTSA still needs to document how it will collaborate with other federal agencies and stakeholders in responding to a cyberattack.”
And nothing since then—almost another year later. Which would be hard to describe as expeditious.
Same for the other two recommendations (although they were not labeled “priority”)—these to the Department of Defense (DOD) in a July 2017 report.
The first called for the DOD, along with the military, to “conduct operations security surveys that identify IoT security risks and protect DOD information and operations, in accordance with DOD guidance, or address operations security risks posed by IoT devices through other DOD risk assessments.”
While the DOD agreed with the recommendation, the GAO status report said it sought an update from the agency this past August and is still “awaiting their response.”
The second called for the DOD and military to “review and assess existing departmental security policies and guidance—on cybersecurity, operations security, physical security, and information security—that may affect IoT devices; and identify areas where new DOD policies and guidance may be needed—including for specific IoT devices, applications, or procedures—and where existing security policies and guidance can be updated to address IoT security concerns.”
The status of that one? DOD agreed with it and “has implemented one geo-location policy in 2018 relating to operations security that addresses a portion of this recommendation.”
RELATED: US vows to go on cyber offense
Yes, it has been said for generations that the wheels of bureaucracy turn slowly, but this is a sector where the evolution of the industry and the sophistication and impact of attacks are not moving slowly.
Indeed, a GAO report from this past October found that almost all weapons that the DOD tested between 2012 and 2017, including the F-35 jet and missile systems, have “mission critical” cyber vulnerabilities and can be “easily hacked” using “relatively simple tools and techniques.” Those weapons and systems are, of course, part of the IoT.
All of which points to what security experts have been saying for at least a couple of decades: If devices, networks and systems are easy to hack, it is because the software running them is insecure—it has unpatched vulnerabilities. So if there is to be any hope of securing the IoT and other emerging technologies, one major requirement will be to include building security into software, from the beginning to the end of the software development life cycle (SDLC).
There are plenty of recommendations and suggested best practices already available on how to do that. So the current state of security also raises an obvious question: Who, or what department, has the leverage to force agencies to implement recommendations more, uh, “expeditiously”?
Marinos said agencies are required by law to “document an action plan to address recommendations from our reports. The head of GAO also meets regularly with department and agency heads to discuss the status of open priority recommendations.”
And, he added, “Congress can follow up and take their own any action if an agency fails to follow through.”
That is always possible. But given the current focus of Congress, best not to hold your breath.
Get the latest AppSec news and trends sent directly to you.