The Government Accountability Office has been warning Congress for two decades now of its concerns with agencies’ ability to properly and effectively secure their systems and information.
Once again, the GAO’s High-Risk List — presented bi-annually to each new Congress — includes “Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information,” or PII.
That topic was first identified as a high-risk area in 1997, and its continued presence suggest the government is still struggling with it.
As this year’s report, released Wednesday, explains:
“Over the past several years, we have made about 2,500 recommendations to agencies aimed at improving the security of federal systems and information. These recommendations would help agencies strengthen technical security controls over their computer networks and systems, fully implement aspects of their information security programs, and protect the privacy of PII held on their systems. As of October 2016, about 1,000 of our information security-related recommendations had not been implemented. In addition, the federal government needs, among other things, to improve its abilities to detect, respond to, and mitigate cyber incidents; expand efforts to protect cyber critical infrastructure; and oversee the protection of PII, among other things.”
Members of the House Oversight and Government Reform Committee asked Wednesday why agencies aren’t moving quicker to implement the recommendations.
“I’ve been very concerned about the pace that agencies implement our recommendations in this area. We at first identified this as a governmentwide problem — the first time we ever identified anything across the entire federal government high risk — in 1997,” said Gene Dodaro, U.S. comptroller general and head of GAO.
With an increase in high-profile breaches that have targeted and impacted federal agencies in recent years, “there’s been more attention given to this area, but not enough,” Dodaro testified.
“It is hard to get agencies’ attention to put in place comprehensive systems. Secondly, there’s a lot of legacy systems, old systems where they just can’t keep up with patching things appropriately and they need to replace the legacy systems,” he said.
“I’m hoping as I meet with the new officials from the new administration, the Cabinet officials, I put this on their radar screen for prompt attention.”
Census IT draws doubts
New to the High-Risk List in 2017, the 2020 Decennial Census has lawmakers fearing the endeavor will not only be costly, like in 2010, but potentially inaccurate due to IT concerns and lack of testing.
“They have a series of innovations that are very important potential innovations that can have huge cost savings implications if they work out…at the same time they are cancelling tests in the field for later this year and into 2018,” said Chris Mihm, GAO’s managing director of strategic issues. “They need to make sure that they’re able to have these innovations … be able to work together in concert in census-taking operations.”
The Census Bureau alleviated some concerns in anticipation of the 2020 census by moving to off-the-shelf device configurations rather than designing specialized equipment.
“What happened in 2010 in terms of technology was kind of a disaster: custom-made, handheld devices, and so forth,” said Rep. Gerry Connolly, D-Va.
But still, there are issues with the new system, such as an inability with the software on the devices for enumerators to leave notes about their attempts to visit households.
“You state that with the technology they’re using in field tests, 25 percent of households could not be contacted by bureau enumerators, even after six attempts,” Connolly said. “That’s astounding. That calls into question the accuracy of the Census itself.”
The issue, Mihm explained, is that without a detailed note about an attempted visit, subsequent enumerators then don’t know when best to plan a follow-up visit.
“If they go at noon for three straight days in a row, when there hasn’t been someone there at noon, people are working, they need to be able to say to go back at 5 ‘o’ clock or before people leave for work,” he said
All-in-all, the 2017 report says, the “cost risks, new innovations, and acquisition and development of IT systems for the 2020 Census, along with other challenges we have identified in recent years, raise serious concerns about the Bureau’s ability to conduct a cost-effective enumeration. Based on these concerns, we have concluded that the 2020 Census is a high-risk area and have added it to the High-Risk List in 2017.”