From the U.S. Government Accountability Office, www.gao.gov Transcript for: Defending Against Cyber Attacks Description: How prepared is the federal government for a cyber attack? Related GAO Work: GAO-19-384: Cybersecurity: Agencies Need to Fully Establish Risk Management Programs and Address Challenges Released: July 2019 [ Background Music ] [ Nick Marinos: ] Agencies need to fully establish cybersecurity risk programs as quickly as they possibly can. [ Matt Oldham: ] Welcome to GAO's Watchdog Report, your source for news and information from the U.S. Government Accountability Office. I'm Matt Oldham. Today we're going to talk cybersecurity and a GAO report looking into how federal agencies are managing cyber threats. Which agencies? Well, almost all of them. Here to explain is Nick Marinos, an Information Technology and Cybersecurity director at GAO. Thanks for joining me, Nick. [ Nick Marinos: ] Thanks Matt. Thanks for having me. [ Matt Oldham: ] So first off, are we as capable as we could be; are we as capable as we should be to counter a cyber threat? [ Nick Marinos: ] This could be a short podcast. The answer is no, unfortunately. And I think you don't have to look any further than GAO having designated cybersecurity as a High Risk Area in 1997. So 22 years ago we put this thing on our list of the most critical areas for government to really focus on and in large part because federal agencies at that time were struggling to protect their own systems. Fast forward again 20 years and we're still facing a lot of the same issues today. [ Matt Oldham: ] And what are some of those issues? [ Nick Marinos: ] Well, I think probably the best example to describe some of the risks that are out there are to just pick up the newspaper and see breaches that are not only hitting federal agencies but, you know, globally we're seeing it at local government, at state government levels as well, and in private sector companies. A prominent example would be the OPM breach from a few years ago where we saw millions of critical files about government employees and their family members go out the door with the cause of a hack. And we talk about risk -- you know, you mentioned threat. When we talk about risk, it's really the combination between the threat and the vulnerability. So it's about the likelihood of someone being able to try to gain access, unauthorized access to government information, combined with the need for federal agencies to improve their own protections as well. [ Matt Oldham: ] Are some of these challenges that you found common to all or most of the agencies? [ Nick Marinos: ] They are, yes. I mean, every agency has to approach, what we call obviously, cybersecurity risk management differently because they are operating within different environments. They have different missions. They may be small. They may be big. They may be spread out across the nation. So all of those factors, those characteristics of a federal agency, are going to drive the need for every agency to assess their risk. And unfortunately that's where we saw multiple agencies fall short. So most of the agencies had yet to establish a strategy for how they were really going to think through, on a continual basis, what are the greatest areas of risk? Most agencies had yet to actually come up with a plan for how they were going to do organizational-wide assessments to kind of figure out, okay, where are our most critical pockets of information, and how are we best going to protect it? You mentioned challenges. We did actually go and talk to the federal agencies as well. And we said hey, what's making this such a difficult thing to achieve? Across the board, actually all the agencies pointed primarily to the difficulty in recruiting and then retaining good talent to be able to actually perform the critical cybersecurity risk management activities they had. [ Background Music ] [ Matt Oldham: ] It sounds like many of these agencies have some work to do toward standing up the strategies and hiring the right people to help them defend against cyber threats. Nick, are agencies addressing this cyber risk issue separately? Or have you found that they are working together? Are there resources they all can draw from? [ Nick Marinos: ] There are resources, and there are good institutions in place for that kind of knowledge-sharing to occur. For example, the Federal Chief Information Officers Council has a component of it that also focuses on cybersecurity risks as well. So there are these fora that they can use to really have a meaningful conversation. We've also seen the Office of Management of Budget and the Department of Homeland Security put out guidance, hold meetings with individual agencies to talk about a lot of these risks. We think, however, that given the fact that agencies have still expressed challenges, that more can be done in this area. And we've made recommendations not only to the agencies but also to OMB to try to come up with a better way to share best practices in this area. [ Matt Oldham: ] Were there any other recommendations you had in this report? [ Nick Marinos: ] In addition to trying to highlight the need for OMB to do its best to be able to create a good environment for agencies to talk about best practices in this area, we made 58 specific recommendations to the agencies in the places where we thought they needed improvement for their own risk management programs. [ Matt Oldham: ] So final question, what's the bottom line here? [ Nick Marinos: ] I think the bottom line is agencies need to fully establish cybersecurity risk programs as quickly as they possibly can. We've got a national issue here in cybersecurity that we need to confront. And the only way we can do so is by knowing what our most valuable information is and how we're going to go about protecting it. [ Matt Oldham: ] Nick Marinos was talking about the challenges federal agencies are facing when it comes to preparing for cyber threats. Thank you for your time, Nick. [ Nick Marinos: ] Thanks Matt. [ Background Music ] [ Matt Oldham: ] And thank you for listening to the Watchdog Report. To hear more podcasts, subscribe to us on Apple Podcasts. For more from the congressional watchdog, the U.S. Government Accountability Office, visit us at gao.gov.