A report released by the Government Accountability Office (GAO) on Tuesday revealed that federal agencies are dragging their feet establishing necessary safeguards against cyber attacks.
The government watchdog noted that it has over recent years made about 2,500 recommendations to agencies to bolster their cyber defenses.
“As of February 2017,” the report went on to state, “about 1,000 of our information security-related recommendations had not been implemented.”
Federal information security, protecting critical infrastructure, and defending the government’s store of personally identifiable information are all listed as “high risk” areas according to the GAO.
“Cyber-based intrusions and attacks on federal systems and systems supporting our nation’s critical infrastructure, such as communications and financial services, are evolving and becoming more sophisticated,” the report detailed.
The National Institute of Standards and Technology (NIST) maintains a database of cyber security vulnerabilities across the US government. It has flagged more than 82,000 cyber weaknesses as of February 9, 2017.
GAO recommended that agencies take action on a number of fronts. It called on offices to build processes for “securely configuring operating systems, applications, workstations, servers, and network devices.” That includes patching known vulnerabilities, and enhancing oversight of federal IT contractors.
The government also needs to “expand its cyber workforce planning and training efforts,” according to GAO.
The oversight body also noted that agencies, particularly within the Department of Homeland Security, need to improve cyber incident detection and mitigation activities.
A separate report, released earlier this month by GAO, knocked DHS’s National Cybersecurity and Communications Integration Center for not having a consolidated and effective way to track cyber attacks. The office reportedly also lacked contact information for roughly a quarter of critical infrastructure owners in the country, which could hinder response times to cyber intrusions.
During testimony before a House subcommittee on Tuesday, GAO’s Greg Wilshusen, who authored the report, provided a number of reasons for why the government has been slow to enact security recommendations.
“The recommendations in some instances require a longer period of time to actually implement consistently throughout the organization,” he testified.
Wilshusen added that, in some cases, agencies will close out recommendations once they’ve made plans to address them, but then never get around to actually implementing those reforms.
GAO also provided updated figures on the number of cyber security incidents reported by DHS, showing a staggering decline in 2016. Between 2006 and 2015, annual attacks increased by more than 1,300 percent to 77,183 from 5,503.
In 2016, however, the number of reported incidents plummeted by more than half to 33,632.
An official from DHS acknowledged, though, that the drop-off was likely due to “revised reporting requirements” that no longer included non-cyber attacks or attempted scans of agency networks.