GAO Report on Cybersecurity Provides Useful Strategies for Federal Agencies and Private Industry

Posted by

The Government Accountability Office (GAO) recently published another report in its High-Risk Series detailing the major cybersecurity challenges facing the federal government and outlines key strategic elements to address those challenges. While the report focuses on issues pertaining to federal agencies, several of the observations, and recommendations are also applicable to private businesses.

To start, the report details five key elements that are needed to make progress in addressing cyber threats: 1) Leadership Commitment; 2) Capacity; 3) Action Plan; 4) Monitoring; and 5) Demonstrated Progress. The report specifies the federal government has met the leadership prong, but needs improvement in the 4 other elements. Private business would likewise be well served in adopting many, if not all, of the five elements. Notably, the five elements do not “stand alone” and must be implemented together. The report further breaks down the elements and provides a basic framework for each one. For instance, implementing the leadership elements entails establishing long-term goal/priorities and establishing high-level governance structures, among others. The report similarly adds specific examples concerning how each element can be addressed. At bottom, private entities can glean guidance from the key elements.

In addition, the report highlights 4 major cybersecurity challenges that the federal government should address. Many of these challenges also affect private industry. In particular, the report highlights the following areas:

  1. Establishing a comprehensive cybersecurity strategy and performing effective oversight
  2. Securing federal systems and information
  3. Protecting cyber critical infrastructure
  4. Protecting privacy and sensitive data

Under the major challenges, the report generally bemoans the lack of an overarching cybersecurity strategy. Interestingly, the GAO focuses on the potential issues that may arise when software developers or device manufacturers are based in cyber-threat nations like China. Moreover, a spotlight is placed on the need to improve and grow cybersecurity workforce employees. The report also stresses the importance of the federal government working with the private sector to protect critical infrastructure. It warns the failure to do so properly protect critical infrastructure can have significant national security implications because they are the basis of American society. The GAO concludes by focusing on the challenge of protecting privacy and sensitive data. In particular, it underscores the need to both protect private information and to ensure the amount of information is limited and done with consent.

In sum, although the report is primarily aimed at the shortcomings of the federal government, the threats and corresponding suggestions in addressing those challenges are also generally applicable to private businesses.