Energy grid cybersecurity concerns, government transparency initiatives and impending budget cuts have all shined a light on the public sector's technological infrastructure in recent months. But while lawmakers debate the scope and merits of Internet security regulation, a new report from the Government Accountability Office (GAO) has suggested that it may be wiser to shift the conversation toward preventable root cause issues like IT supply chain oversights.
"Federal agencies rely extensively on computerized information systems and electronic data to carry out their operations," the report stated. "The exploitation of information technology products and services through the global supply chain is an emerging threat that could degrade the confidentiality, integrity and availability of critical and sensitive agency networks and data."
The primary IT supply chain vulnerabilities identified by GAO auditors included the installation of "malicious logic" in hardware and software, counterfeiting and unintentional errors of omission or commission in original production. Government agencies were also alerted to potential implications of disrupted or discontinued manufacturing processes affecting critical products and services as well as reliance on third-party providers with malicious or unqualified reputations for performance.
These "unacceptable risk(s)" identified by the GAO are especially concerning in light of confirmed reports of cyber espionage in recent years.
Last October, the Office of the National Counterintelligence Executive released a report suggesting that Chinese and Russian hackers may have jeopardized as much as $400 billion in U.S. research and development spending by exploiting data security vulnerabilities and pilfering American technological trade secrets. More recently, former White House cyberterrorism advisor Richard Clarke came forward to suggest that Chinese hackers have successfully infiltrated "every major U.S. company," including several prominent government defense contractors.
With domestic malcontents and international cyberterrorists poised to exploit any available weaknesses, the stakes of IT supply chain diligence could hardly be higher. The report noted that the Departments of Justice and Defense have already acknowledged and begun to address these issues. However, the Departments of Energy and Homeland Security were chastised for their slow response and failure to define adequate data protection measures.
As a result, the GAO report became more prescriptive in nature and advised each of these critical national security branches to develop and implement monitoring procedures and quality-control mechanisms.
"Until comprehensive policies, procedures and monitoring capabilities are developed, documented and implemented, it is more likely that these national security-related departments will rely on security measures that are inadequate, ineffective or inefficient to manage emergent information technology supply chain risks," auditors concluded.
The Department of Defense's current approach to prevention was spotlighted as a possible blueprint for other agencies to follow. By using an incremental approach that begins with clearly defined mechanisms and protections, large-scale implementations are made less cumbersome and monitoring processes are ultimately more effective, according to the GAO.
To ensure the report findings are treated as actionable intelligence, auditors also called upon lawmakers to lean on slow-to-progress agencies with a variety of strategies to promote accountability.
According to PCWorld, this increased legislative vigilance was on display at a recent meeting of the U.S. House of Representatives Energy and Commerce's oversight committee. Department of Energy (DOE) chief information security officer Gil Vega was asked to provide a concrete timetable for his plans to audit his agency's IT supply chain. The DOE leadership role in governing the nation's nuclear energy resources only added weight to conversation.
While the GAO's finding are significant and merit the attention of public sector leaders, agencies know that the cybersecurity equation contains multiple variables. According to PCWorld, several witnesses at the subcommittee hearing also underscored the role of intelligence community initiatives in disrupting cybercriminals plots.
Data Security News from SimplySecurity.com by Trend Micro