A recent Government Accountability Office (GAO) report has highlighted the lack of oversight by US federal agencies in assessing the effectiveness of their support to critical infrastructure sectors in addressing ransomware threats. This lack of oversight is jeopardizing the White House’s goal of enhancing the cyber resilience of critical infrastructure [1] [2].

Description

The GAO report emphasizes the importance of evaluating risks and measuring the effectiveness of support activities to better protect critical infrastructure [3]. It specifically analyzed ransomware mitigation strategies in critical manufacturing [1] [2], energy [1] [2] [3], healthcare [1] [2] [3], and transportation sectors [1] [2] [3]. The report revealed that some agencies are only assessing basic cybersecurity protections and general guidance in these sectors [1] [2], rather than federal guidelines specifically addressing ransomware [1] [2]. Despite most federal agencies assessing or planning to assess risks associated with ransomware [1] [2], they have not fully evaluated the use of leading cybersecurity practices or the effectiveness of federal support in mitigating risks [1] [2]. This is concerning given the surge in ransomware attacks, particularly targeting energy and water companies.

The GAO made 11 recommendations to improve cybersecurity practices [2] [3], with some agencies fully agreeing and others partially agreeing. The report found that none of the Sector Risk Management Agencies (SRMAs) have determined the extent of adoption of the National Institute of Standards and Technology (NIST) ransomware profile [2], hindering the achievement of the White House’s goal [2]. It also highlighted a misalignment between the practices used to address ransomware and leading federal practices established by NIST [2]. To address these issues, the GAO recommended routine evaluation procedures and the adoption of leading cybersecurity practices [2].

Conclusion

The lack of oversight by federal agencies in assessing the effectiveness of their support to critical infrastructure sectors in addressing ransomware threats has significant implications. It hinders the achievement of the White House’s goal of enhancing the cyber resilience of critical infrastructure. The surge in ransomware attacks, particularly targeting energy and water companies, further emphasizes the urgency of addressing this issue. The GAO’s recommendations for routine evaluation procedures and the adoption of leading cybersecurity practices are crucial steps towards mitigating risks and strengthening the operational resilience of core systems in critical infrastructure. A coordinated approach and deeper assessment of identity and encryption systems are also necessary to ensure the future protection of critical infrastructure.

References

[1] https://www.infosecurity-magazine.com/news/us-agencies-ransomware-white-house/
[2] https://flyytech.com/2024/02/01/us-agencies-failing-to-oversee-ransomware-protections/
[3] https://itnerd.blog/2024/02/01/gao-finds-that-agencies-lack-insight-of-critical-infrastructure-ransomware-protections/