Trump's axing of cyber czar role has left gaping holes in US defence
Damning report shows Uncle Sam falling behind
Comment A cybersecurity czar has been a long-established presence in US government – until recently. Against a rising tide of attacks on the nation's infrastructure and election systems, Donald Trump eliminated the post through an executive order in May.
As if to highlight the deficiency of such a move, just two months later the US Government Accountability Office (GAO) told politicians that Uncle Sam had failed to implement 1,000 cyber protection recommendations from a list of 3,000 made since 2010 that it said are "urgent to protect the nation". Further, 31 out of a total of 35 more recent priority recommendations were also not acted upon. That testimony was released in a report (PDF) this month.
In the infosec arms race, this does not make comfortable reading, particularly since the US cybersecurity coordinator post has been axed.
Despite progress in some areas such as identifying (if not yet filling) gaps in cybersecurity skills, the GAO reckoned that the security holes have left federal agencies' information and systems "increasingly susceptible to the multitude of cyber-related threats".
It told the Office of the President, the US Congress and federal agencies of all stripes to shape up and take cybersecurity seriously.
These omissions include having a more comprehensive cybersecurity strategy, better oversight, maintaining a qualified cybersecurity workforce, addressing security weaknesses in federal systems and information and enhancement of incident response efforts.
Nick Marinos, director of cybersecurity and data protection issues, and Gregory C Wilshusen, director of information security issues, signed off September's report with a stark warning:
Until our recommendations are addressed and actions are taken to address the challenges we identified, the federal government, the national critical infrastructure, and the personal information of US citizens will be increasingly susceptible to the multitude of cyber-related threats that exist.
The risks to IT systems supporting the federal government and the nation's critical infrastructure are increasing as security threats continue to evolve and become more sophisticated. These risks include insider threats from witting or unwitting employees, escalating and emerging threats from around the globe, steady advances in the sophistication of attack technology, and the emergence of new and more destructive attacks.
The GAO also blasted the IT sector for compounding these risks: "IT systems are often riddled with security vulnerabilities – both known and unknown."
The report said in 2017 more than 35,000 cybersecurity incidents at civilian agencies had been reported by the Office of Management and Budget to Congress. A breakdown of these figures revealed that 31 per cent of these attacks were listed as "other", saying: "If an agency cannot identify the threat vector (or avenue of attack), it could be difficult for that agency to define more specific handling procedures to respond to the incident and take actions to minimize similar future attacks."
Other incidences listed were improper usage (22 per cent), email/phishing (21 per cent), loss or theft of equipment (12 per cent), web site or web app origin based attacks (11 per cent).
Attacks cited include a March 2018 threat when the Mayor of Atlanta, Georgia, reported that the city was being victimised by a ransomware attack.
In March the Department of Justice indicted nine Iranians for conducting a "massive cyber security theft campaign" on behalf of the Islamic Revolutionary Guard Corps. That indictment alleged they stole more than 31TB of documents and data from more than 140 American universities, 30 US companies, and five federal government agencies.
The Russians were also called out for targeting critical systems in nuclear, energy, water and aviation.
But, of course, Trump is a little confused when it comes to Russia's cyber-dabbling in the US.
You can argue the US government fell behind under the watch of the cyber czar and that action was needed, but that hardly necessitated the elimination of this central post.
The GAO testimony and this month's report rightly questions whether the US was doing enough to protect its citizens and critical infrastructure. The answer seemed to be a "must try harder" - but that's OK, because improvement can only come through such transparency and self-assessment.
Trump's May decision and this report taken together suggest that if the West was already slipping behind in the cyber war, things can only get worse now that the supposed leader of the free world has deliberately, and carelessly, taken his eye off the ball on the home front. ®