As agencies face an increasing volume of cyber threats, the Government Accountability Office will examine whether the Trump administration has a reliable hierarchy of cybersecurity leadership.
Last year, federal civilian agencies reported more than 35,000 information security incidents to U.S. Computer Emergency Readiness Team (US-CERT), a more than 14 percent increase from the previous year, according to a GAO report released Wednesday.
Since 2010, the governmentwide watchdog has issued more than 3,000 recommendations to help agencies shore up their cybersecurity posture, but as of this month, about 1,000 recommendations have yet to be implemented
“I don’t think the federal government is moving at a pace commensurate with the evolving threat in this area,” Comptroller General Gene Dodaro told members of the House Oversight and Government Reform Committee on Wednesday.
Dodaro added that he would “like to see more milestones” the development of an updated National Cybersecurity Strategy, but said the Homeland Security Department plans to release its own strategy in August.
The DHS plan, he added, would identify further milestones that would include the resources and the performance measures.
Congress thrown by cyber coordinator’s dismissal
In reaction to the rise in cyber threats outlined in the GAO report, several lawmakers expressed concern over the elimination of the White House cybersecurity coordinator role, a job last held by Rob Joyce until he stepped down in April.
“I was surprised that the position was eliminated,” Dodaro said, adding that GAO plans to take a look at the Trump administration’s current cyber chain of command to determine whether splitting up the functions of the cybersecurity coordinator makes sense.
“We’ve never really evaluated the cybersecurity coordinator role. We’ve been more focused on getting a national strategy in place and making clarifications,” Dodaro said. “I haven’t fully examined what that position did — what kind of resources they had available and what their accomplishments were during that period of time. It’s an area that I’m concerned about. You always want to have good leadership. You can have good leadership in a number of different ways. But I want to look at it more carefully before I advise on what exactly what would need to be done differently from what they’re contemplating doing.”
Rep. Gerry Connolly (D-Va.), the ranking member of the IT subcommittee, encouraged GAO to look at the impact of the cybersecurity coordinator role.
“Maybe diffusing, or splitting responsibility, allows us to have a whole greater than the sum of the parts,” Connolly said.
But Connolly also acknowledged recent reports that have shown the cybersecurity coordinator role had been key to resolving conflicts among agencies, helping cabinet-level agency heads prepare major policy decisions and responding to cyber crises.
“More often than not in government, you need a central focus — some champion who is vested with authority and responsibility for moving the agenda for advocating for a cause,” he added. “I would welcome you to look at that. I think we’d want to know, did the Trump administration make a good decision or did it make a mistake in abolishing this position?”
Federal Chief Information Officer Suzette Kent said newly confirmed Federal Chief Information Security Officer Grant Schneider works closely with her and Rear Adm. Douglas Fears, the administration’s new homeland security adviser.
“My federal chief information security officer has a dual-reporting relationship between he and I, so that there’s no miss or time in translation for things that we need to take action on,” Kent said. “I think I have a very clear set of mandates of actions that we need to take across the federal agencies.”
But the gaps in cyber talent, real or perceived, don’t end at leadership. Kent said more than 15,000 cyber positions across the government still need to be filled.
“In many cases, we still have almost a 25 percent gap in the number of cyber resources that we need across federal agencies and what we currently have in place,” she said. “Particularly, we have some gaps in leadership and places where we have open positions that are key leaders. In many cases, the individuals, when we get them in, their tenure is less than 12-18 months.”
Modernizing workforce on PMA priorities list
The President’s Management Agenda, which Kent has advocated for in recent months, lists modernizing the workforce as one of 14 major cross-agency priorities.
“Our current status is as much a people issue as it is a technology issue,” she said.
In order to address the gaps in the cyber workforce, National Institute of Standards and Technology in August 2017 released its Cybersecurity Workforce Framework as an attempt to have a common language and designation for cybersecurity and IT job descriptions.
Meanwhile, the Federal Cyber Workforce Assessment Act, which passed in 2016, has tasked agencies with assigning a code to specific job functions.
But in a report last month, GAO found that 13 of 24 agencies still hadn’t met all of the requirements of the law.
Of the 35,000 security incidents mentioned in the report, GAO found that agencies weren’t able to identify a root cause in 31 percent of cases.
“It’s important to have an effort to detect these things when they occur,” Dodaro said. “The attacks happen in a matter of minutes, but the detection doesn’t occur for months later, and that impairs the ability to determine exactly [what] happened that led to this attack situation.”