In The News

GAO Will Release Report on Pandemic Cyber, Expand Reviews to Include Supply Chain in Near Future

The Government Accountability Office is planning to release a report in early fiscal 2022 about the cybersecurity impacts of technologies adopted in response to the pandemic. When government agencies shifted to mass telework, that presented a whole host of new challenges for IT personnel who weren’t used to having the majority of their endpoints outside traditional network boundaries, and catalyzed the current push to adopt zero trust.

“I can’t discuss the findings of the report necessarily,” said Jennifer Franks, director of IT & Cybersecurity at GAO, during an August 31 FedInsider webinar. “But it was obvious to us that the threat surface had indeed expanded for these agencies, with more employees working remotely. And that this was a risk agencies were willing to indeed accept to maintain the health and safety of their employees, among other reasons, during the pandemic.”

Franks said her team surveyed and followed up with select agencies on their experiences moving to maximum telework, implementing federal guidance, the tools they adopted, the cybersecurity challenges they experienced, and how they overcame them.

Franks said that in the near future, GAO will also be expanding its reviews to take recent pushes to improve supply chain risk into account. She pointed to the SolarWinds incident and Microsoft Exchange vulnerabilities as recent examples of how federal agencies can secure their own networks, yet still be vulnerable to attacks.

“So now not only do agencies have to worry about their network, but now we have to worry about the networks of the entities of supposed ‘trusted’ partners and suppliers,” Franks said.

She also said every agency should be implementing a zero trust architecture and proactive threat hunting.

“This is another area that you can no longer just be passive and reactive to,” Franks said. “If you take that stance, we’ll always be behind the eight ball and constantly chasing after the next threat, instead of releasing in front of it, or even at least in line with the next cyber security curves. And threat hunting really is a proactive measure, and it gives more visibility inside of an enterprise’s network. So if an agency could know what it needs to secure, it could know what it needs to monitor a little bit more efficiently and effectively to provide its goods and services for its customers.”

Some agencies are already acting on this advice; Mike Witt, associate CIO for the Cybersecurity & Privacy Division at NASA, said he is currently working toward a software-defined access network infrastructure, which will provide a framework for zero trust at the agency. And Gary Stevens, executive director of Information Services Policy & Strategy at the Department of Veterans Affairs, said VA is part of the National Institute of Standards and Technology’s zero trust lab team through the National Cybersecurity Center of Excellence.