On Tuesday, the Government Accountability Office reported findings of a year-and-a-half long performance audit of the federal agencies charged with overseeing the manufacturing, energy, health care and transportation sectors concluding that “none” know whether protections against ransomware have been implemented.
The six agencies include: CISA, the Department of Energy, the Department of Health and Human Services, the U.S. Coast Guard, Transportation Security Administration, and the Department of Transportation.
It was found that “none have fully assessed the effectiveness of their support to sectors” as directed in the Department of Homeland Security’s 2013 National Infrastructure Protection Plan and they also haven’t “determined the extent of adoption of the National Institute of Standards and Technology’s recommended practices for addressing ransomware.”
The GAO made 11 recommendations to four agencies to, among other things, determine selected sectors’ adoption of cybersecurity practices. DHS and HHS agreed with their recommendations while the DOE and DOT partially agreed.
“Given that ransomware remains one of the most serious and concerning cybersecurity challenges to our nation’s critical infrastructure, it is vital that the SRMAs assess risks and measure the effectiveness of their support activities to better protect their respective sectors from this pervasive threat,” the report said.
Emily Phelps, VP, Cyware had this comment:
“This situation underscores the paramount importance of intelligence sharing and collaborative, proactive cybersecurity to safeguard our nation’s critical infrastructure. By fostering an environment where information and strategies are shared across agencies and sectors, we can build a more resilient and responsive defense system.”
Mark B. Cooper, President & Founder, PKI Solutions adds this comment:
“The GAO report reveals a crucial gap in the understanding and implementation of protections for core systems like identity and encryption in critical infrastructure. Agencies overseeing sectors like manufacturing, energy, healthcare, and transportation lack comprehensive assessments on the adoption of recommended ransomware protections. This situation also highlights the need for a more coordinated approach across agencies and a requirement for deeper level of assessment to Identity and Encryption systems. This is crucial for strengthening the operational resilience of critical infrastructure against ever changing cyber security threat landscape.”
Given how dangerous and pervasive ransomware attacks are, everyone needs to step up their game to ensure that they aren’t the next victim of a ransomware attack. Thus I hope that these agencies take the advice of the GAO and take immediate action.