The White House's goal of bolstering the cyber resilience of critical infrastructure is being threatened by US federal agencies' lack of oversight of ransomware protections, according to a new Government Accountability Office report.
The GAO noted that some agencies only assess the adoption of basic cybersecurity protections and general guidance in critical sectors like energy and healthcare, rather than federal guidelines on addressing ransomware specifically.
The report analyzed ransomware mitigation strategies in four critical infrastructure sectors - critical manufacturing, energy, healthcare and public health, and transportation.
Most federal agencies that lead and manage risk for four critical sectors have assessed or plan to assess risks associated with ransomware, according to the GAO. However, the agencies have not fully gauged the use of leading cybersecurity practices or whether federal support has mitigated risks effectively in the sectors.
The findings come amid surging ransomware attacks in the past year, and prominent energy and water companies hit at the start of 2024.
Bolstering the cyber resilience of critical industries is a key aim of the White House's National Cybersecurity Strategy, which was unveiled in 2023.
NIST developed a cybersecurity framework for managing ransomware risk in February 2022.
The framework aims help organizations identify and prioritize opportunities for improving their security and resilience against ransomware attacks.
None of the Sector Risk Management Agencies the GAO assessed have determined the extent of adoption of the NIST ransomware profile as recommended by the National Infrastructure Protection Plan, the GAO found.
The risk and management agencies did identify seven other sets of practices from federal agencies and the cybersecurity industry that were used to address ransomware.
The report noted that these practices focus on foundational cybersecurity protections to manage a variety of cyber threats beyond ransomware.
The GAO made a total of 11 recommendations for the four SRMAs to improve the federal government's oversight of the adoption of specific ransomware protections in the relevant critical infrastructure sectors.
These focused on the Secretaries of State developing and implementing routine evaluation procedures.
These are to measure the effectiveness of federal support in reducing the risk of ransomware to the sectors, and determine the extent to which they are adopting leading cybersecurity practices in this area.
The Department of Homeland Security and Department of Health and Human Services agreed with their recommendations.
The Department of Energy partially agreed with one recommendation and disagreed with another.
The Department of transportation agreed with one recommendation, partially agreed with one, and disagreed with a third.
Mark B. Cooper, President & Founder, PKI Solutions, said the report revealed a worrying gap in the understanding and implementation of protections for core systems like identity and encryption in critical infrastructure.
This Cyber News was published on www.infosecurity-magazine.com. Publication date: Thu, 01 Feb 2024 17:10:06 +0000