Federal agencies have yet to implement about a thousand recommendations to improve information security and many officials are increasingly unaware of the origins of cyber attacks on their networks, according to a new report from the Government Accountability Office.

A House panel on Wednesday pressed GAO director Gene Dodaro and new federal CIO Suzette Kent on the report’s findings that the administration’s national cyber strategy lacks the necessary components to ensure federal agencies are able to protect their information systems in the face of growing adversarial cyber threats.iStock Cyber Lock

“It should concern all of us that the GAO has concluded in the interim High Risk report, that spurred this hearing, that urgent actions are needed to address ongoing cyber security challenges in the federal government,” Rep. Will Hurd (R-Texas), chairman of the House IT subcommittee, said during his opening statement.

GAO has made 3,000 recommendations since 2010 to federal agencies to address the most pressing cyber challenges, of which 1,000 have yet to be implemented as of June.

“It’s not acceptable given the threat we face. These open lingering vulnerabilities put us at an incredible risk,” Hurd said.

Federal agencies reported 35,000 cyber incidents in fiscal year 2017, but many agencies are still unaware of the origin of attacks, according to Dodaro.

Agencies selected “other” when reporting cyber incidents 31 percent of the time, meaning officials were unaware of the exact vulnerability that may have been exploited.

“That means that it’s unknown in some of these cases how these things have occurred. That’s the concerning part of this,” Dodaro said.

The new report calls for the White House to develop a more comprehensive cyber strategy for failing to include several basic components in its current version, including performance measurements, cyber objective milestones and resources needed to meet those objectives.

Rep. Robin Kelly (D-Ill.), IT subcommittee ranking member, said the White House’s decision to eliminate its national cyber security coordinator role will complicate the process of putting together a more robust strategy.

Dodaro said a new strategy would need to have more effective mechanisms for overseeing implementation of improved cyber security practices.

“This is to include global supply chain issues, critical workforce issues and dealing with emerging technologies that are going to bring new risk, such as artificial intelligence, the Internet of Things and quantum computing,” Dodaro said.

Kent told the House panel that as a result of cyber executive order issued by the president last spring federal agencies were able to complete 37 of 52 IT modernization tasks, including safeguarding high value assets, network consolidation, use of commercial cloud.

“We intend to complete the remaining tasks by the end of the year,” Kent said.