U.S. Comptroller General Gene Dodaro, who heads the Government Accountability Office (GAO), today publicly questioned the priority given by Federal agency heads to cybersecurity issues that have long been flagged by GAO on its “High Risk List,” the latest biennial edition of which was issued by the agency today.
The list issued today includes 35 high-risk areas regarding Federal government operations “with vulnerabilities to fraud, waste, abuse, and mismanagement, or in need of transformation to address economy, efficiency, or effectiveness challenges.” The status of less than half of those items has not changed since 2017, he said.
As with the previous edition of the High Risk List issued in 2017, “ensuring the cybersecurity of the nation” remains on the list, and was the subject of much inquiry by members of the House Oversight and Reform Committee at a hearing this afternoon.
Responding to a question from Rep. Harley Rouda, D-Calif., about the slow pace of progress on Federal cybersecurity issues over the past several years, Dodaro responded, “I just do not think there is enough top-level management attention” on the longstanding cyber issues that GAO has flagged since the late 1990s.
“There are a lot of plans put in place,” he said of Federal agency cybersecurity efforts, but less action in the way of implementing those plans.
“Departments and agencies year after year have the same material weaknesses” in security, he said, adding that the “millstone around their necks is legacy systems.”
“We have to replace legacy systems,” Dodaro said, who estimated that 75 percent of Federal agency IT spend goes to legacy systems. He said that the Technology Modernization Fund will hasten the replacement of legacy systems, as will the grant of “proper authority” to agency CIOs.
Rep. Gerry Connolly, D-Va., chairman of the Oversight Committee’s Government Operations Subcommittee that has a strong focus on Federal IT issues, elaborated on the problem of legacy systems, and said that under the general heading of cybersecurity, GAO over the years has issued 700 recommendations to Federal agencies that have not yet been acted upon.
Asking why those have not been implanted, Dodaro reiterated, “I am concerned that it is not a priority for the heads of departments and agencies.” He said he thought Congress should provide more rigorous oversight of the issue. But he also offered that Federal agency heads have to deal with “many other competing problems.”
In a separate statement issued in advance of today’s hearing, Connolly said, “GAO has specifically identified our nation’s cybersecurity as an area that requires additional attention from Congress and the Administration. As security threats evolve and become more sophisticated, the risks to the information technology systems underpinning the nation’s critical infrastructure are increasingly at risk. Every federal agency holds sensitive information that if inappropriately accessed and disclosed could threaten our national security, economic well-being, or public health.”
He continued, “The Trump Administration has not taken the necessary steps to address the serious vulnerabilities federal agencies have in securing their networks. In May 2017, the President issued an executive order on cybersecurity, in December 2018 the Administration published a National Security Strategy, and last May the Department of Homeland Security (DHS) published its Cybersecurity Strategy. However, none of those actions constitute a comprehensive cybersecurity strategy that clearly defines the roles and responsibilities for key agencies such as DHS, the Department of Defense (DoD), and the Office of Management and Budget (OMB). In fact, some of the actions taken by the Administration have made it more difficult for federal agencies to confront the cyber threat.”
“I am also concerned with the continued presence of information technology (IT) management on the GAO’s High Risk List,” he said. “The federal government currently invests more than $90 billion annually on IT, and OMB has implemented several key initiatives intended to help better manage this investment. Additionally, implementation of the Federal Information Technology Acquisition Reform Act (FITARA)–or Connolly-Issa–and the Government Operations Subcommittee’s biannual FITARA Scorecard hearings have helped improve the government-wide management of IT investments. FITARA is the framework for IT procurement that ensures the federal government is making smart and effective investments to modernize federal IT.”
He continued, “Unfortunately, GAO continues to report that chief information officers are still not empowered to fully assess their agency’s IT needs and effectively implement IT strategy. In the High Risk report, GAO has identified data center consolidation, plans to modernize or replace legacy systems, and full implementation of PortfolioStat as outstanding open recommendations that agencies must work to address. That is why I will continue to work with GAO and my colleagues to conduct oversight of federal agency implementation of FITARA.”
On related issues, committee Chairman Elijah Cummings, D-Md., bemoaned the White House’s move last year to remove the position of cybersecurity coordinator from the National Security Council, which he said has left “our Federal government without any White House leader” on cybersecurity issues.
And he cast blame on the White House for not improving systems for Federal security clearance procedures, noting that the current backlog of clearance applications stands at 565,000. Dodaro said the backlog had stood as high as 700,000 when it was added to GAO’s High Risk List, and said that reduction represented “some progress in that area.”
Other subjects that drew committee members’ interest at today’s hearing included the Trump administration’s actions on climate change issues, the issuance of security clearances including to top White House aide Jared Kushner.
