Challenges

The pervasive adoption of cloud computing can increase network management complexity and raise the risk of cloud misconfigurations, improperly secured APIs and other avenues hackers can exploit. More remote work, hybrid work and bring-your-own-device (BYOD) policies mean more connections, devices, applications and data for security teams to protect. Proliferating Internet of Things (IoT) and connected devices, many of which are unsecured or improperly secured by default, can be easily hijacked by bad actors.

Challenge #1:

• The rise of artificial intelligence (AI), and of generative AI in particular, presents an entirely new threat landscape that hackers are already exploiting through prompt injection and other techniques. According to recent research from the IBM® Institute for Business Value, only 24% of generative AI initiatives are secured. A World Economic Forum study found that the global cybersecurity worker gap—the gap between cybersecurity workers and jobs that need to be filled—might reach 85 million workers by 2030.4 Closing this skills gap can have an impact. According to the Cost of a Data Breach 2024 Report, organizations suffering from a high-level shortage of security skills saw an average cost per breach of USD 5.74 million, compared to USD 3.98 million for organizations with lower-level skills shortages. Resource-strained security teams will increasingly turn to security technologies featuring advanced analytics, artificial intelligence (AI) and automation to strengthen their cyber defenses and minimize the impact of successful attacks. (IBM)


• National Cybersecurity Strategy isn’t as strong as it could be: Last year, the White House issued a National Cybersecurity Strategy outlining steps the government is taking to address the longstanding cybersecurity challenges facing the country. But how will the government know if its strategy is working? When we looked at the strategy, we found it needed outcome-oriented performance measures for various cybersecurity initiatives.In addition, the federal government needs to take action to ensure it is monitoring the global supply chain, confirm it has the highly skilled cyber workforce it needs, and address risk associated with emerging technologies—such as artificial intelligence.


• The government and the private sector are at risk when emerging threats aren’t addressed. We saw such an attack around January 2019 after a network breach at SolarWinds. The Texas-based network management software company was widely used by the government to monitor network activities and manage network devices on federal systems. A Russian-led attack on SolarWinds resulted in one of the most widespread and sophisticated hacking campaigns ever conducted against the U.S. We’ve made nearly 400 recommendations to strengthen the National Cybersecurity Strategy and agencies’ ability to perform effective oversight. As of May, 170 of our recommendations have not been acted on.

Challenge #2:

• Agencies remain limited in their ability to improve the security of federal systems and information Federal agencies rely extensively on computerized information systems to conduct day-to-day business, including interactions with the public. Many of these systems house important taxpayer information—including Social Security numbers, income information, tax filing information, loan data, and more. Ineffective security controls could not only leave these systems vulnerable to attack, but also delay the response to attacks.


• For example, in December 2021, a vulnerability in a piece of open-source software known as “Log4j” was reported. Log4j is used to collect and manage information about system activities and is used in millions of federal and private information systems. A 2013 update of Log4j was intended to make data storage and retrieval easier. But in November 2021 (8 years later), a security engineer reported a vulnerability in the feature. Federal agencies were directed to address this vulnerability. Even though there hasn’t been a known Log4j-based attack on federal IT, the weakness was deemed an “endemic vulnerability”—meaning that vulnerabilities will remain in systems for years despite actions to address them.


• We’ve reported on federal efforts to help agencies address weaknesses like these so that systems and information are more secure. We’ve made more than 800 recommendations to improve efforts. But 221 of these recommendations have not been implemented, as of May. Doing so can greatly enhance the federal response to cyber incidents.

Challenge #3:

• Critical infrastructure sectors remain vulnerable to disruptive attacks: A ransomware attack on Change Healthcare, a health payment processor, made headlines. The attack shut down operations, resulting in nearly $874 million in financial losses and widespread disruptions for providers and patient care. Medical procedures were delayed and patients were unable to access medications. Health care is just one of our 16 critical infrastructure sectors that is vulnerable to cyberattacks. All of these sectors rely heavily on IT systems to operate.


• Attacks on critical infrastructure sectors continue to grow and could seriously harm human safety, national security, the environment, and the economy. The federal government has taken some steps to address the challenges with protecting these systems from cyberattacks. But we see persistent shortcomings in these efforts. In January, we reported that the federal agencies responsible for the four sectors that have reported almost half of all ransomware attacks—health care and public health, critical manufacturing, energy, and transportation—had not determined whether their actions to prevent future attacks include leading practices. In March, we reported on the challenges agencies face when collaborating with the Cybersecurity and Infrastructure Security Agency (CISA) on mitigating cyber risks in their sectors.


• These challenges included sharing information about potential threats. Last December, we highlighted challenges reported by nonfederal entities in accessing the support they need from the federal government to address vulnerabilities. We’ve made 126 recommendations to better protect the cybersecurity of critical infrastructure. Action is still needed on 64 of them.

Challenge #4:

• Efforts to protect your personal privacy face limitations: In March, AT&T reported that some of its data—which included sensitive personal information such as Social Security numbers and passcodes—had been released onto the dark web. As many as 7.6 million current and approximately 65.4 million former AT&T account holders were affected. Attacks like these are becoming more common. At the same time, we found that federal agencies are limited in their ability to help prevent and respond to them. In 2022, we reported about the risks posed by the increasing collection and use of personal information from consumers. For example, companies collect personal and transactional data to create consumer scores, which are used to predict how consumers will behave in the future.


• While collection and use of personal data increases, there’s still no comprehensive U.S. internet privacy law about companies’ collection, use, or sale of your data. This leaves consumers like you with limited assurances that your privacy will be protected. Data the government collects about you is also at risk. In August 2023, we reported on how the IRS monitors access to sensitive taxpayer information. We found that IRS didn’t have a comprehensive inventory of the systems that store this information, limiting its ability to protect data. (USGOA)

Solutions

• Security awareness training: helps users understand how seemingly harmless actions—from using the same simple password for multiple log-ins to oversharing on social media—increase their own or their organization’s risk of attack. Can help employees protect sensitive personal and organizational data. It can also help them recognize and avoid phishing and malware attacks.


• Data security tools: such as encryption and data loss prevention (DLP) solutions, can help stop security threats in progress or mitigate their effects. DLP tools can detect and block attempted data theft, while encryption can make it so that any data that hackers steal is useless to them. Identity and access management: (IAM) refers to the tools and strategies that control how users access resources and what they can do with those resources. IAM technologies can help protect against account theft.


• Multifactor authentication requires users to supply multiple credentials to log in, meaning threat actors need more than just a password to break into an account. Adaptive authentication systems detect when users are engaging in risky behavior and raise additional authentication challenges before allowing them to proceed. Adaptive authentication can help limit the lateral movement of hackers who make it into the system.


• A zero trust architecture is one way to enforce strict access controls by verifying all connection requests between users and devices, applications and data.


• Attack surface management (ASM): is the continuous discovery, analysis, remediation and monitoring of the cybersecurity vulnerabilities and potential attack vectors that make up an organization’s attack surface. Unlike other cyberdefense disciplines, ASM is conducted entirely from a hacker’s perspective rather than the perspective of the defender. It identifies targets and assesses risks based on the opportunities they present to a malicious attacker.


• Threat detection and response: Analytics- and AI-driven technologies can help identify and respond to attacks in progress. These technologies can include security information and event management (SIEM), security orchestration, automation and response (SOAR) and endpoint detection and response (EDR). Typically, organizations use these technologies as part of a formal incident response plan.


• Disaster recovery: play a key role in maintaining business continuity and remediating threats in the event of a cyberattack. For example, the ability to fail over to a backup that is hosted in a remote location can help a business resume operations after a ransomware attack (sometimes without paying a ransom) (IBM)