Federal agencies and our nation’s critical infrastructures—such as energy, transportation systems, communications, and financial services—depend on technology systems to carry out operations and process, maintain, and report essential information. The security of these systems and data is vital to protecting individual privacy and ensuring national security, prosperity, and the well-being of Americans.
However, risks to technology systems are increasing—in particular, malicious actors are becoming more willing and capable of carrying out cyberattacks. These actors can also use a variety of techniques to compromise IT systems.
Potential Techniques Available to Cyber Attackers
Threat Type
Description
Ransomware
Ransomware is a form of malicious software designed to encrypt files on a device, rendering any data and systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.
Viruses and worms
A program that “infects” computer files, usually via executable programs, by inserting a copy of itself into the file. These copies are usually executed when the infected file is loaded into memory, allowing the virus to infect other files. Viruses require human interaction to propagate, while worms do not.
Spear phishing
Spear phishing is a highly targeted form of cyberattack where criminals send personalized, fraudulent messages—usually via email—to trick specific individuals into revealing sensitive information, transferring money, or installing malware.
Watering hole attacks
Watering hole attacks involve attackers compromising legitimate websites used by their target, such as the website for a trade organization or for technical information. Attackers typically infect the targeted website with malware intended to collect information and credentials entered by users on the site. Attackers can then use gathered credentials to gain access to target systems.
Supply chain compromise
Attackers may compromise the supply chain of information technology and operational technology products by manipulating hardware or software products before receipt by the end consumer.
Remote login exploits
Attackers may exploit services that allow users to connect to network resources from a remote location. The attackers then use these services to access and attack network technologies.
Source: GAO.
Additionally, since many government technology systems contain vast amounts of personally identifiable information (PII), federal agencies must protect the confidentiality, integrity, and availability of this information—and effectively respond to data breaches and security incidents. Federal agencies reported 32,211 information security incidents to the Department of Homeland Security in FY 2023. Such attacks could result in serious harm to human safety, national security, the environment, and the economy.
Image
To highlight the importance of these issues, GAO has designated information security as a government-wide high-risk area since 1997. This high-risk area was expanded in 2003 to include protecting the cybersecurity of critical infrastructure and, in 2015, to include protecting the privacy of PII.
Ten critical actions needed to address four major cybersecurity challenges
Image
Since 2010, GAO has made over 4,400 recommendations to federal agencies to address cybersecurity shortcomings. However, more than 730 of these had not been fully implemented as of February 2026. Of these, we designated 48 as priority recommendations, meaning that we believe they warrant priority attention from heads of key departments and agencies. Until these shortcomings are addressed, federal and critical infrastructure IT systems will be increasingly susceptible to cyber threats.
For more on GAO's reports and recommendations, see the key reports tab below.
