The Government Accountability Office (GAO) has launched a report stating that the White House’s efforts to boost the cyber resilience of vital infrastructure are in danger because of the lack of oversight of ransomware protections by US federal companies.
The GAO identified that some companies are solely evaluating the adoption of fundamental cybersecurity protections and basic steering in vital sectors equivalent to vitality and healthcare, moderately than following federal tips particularly addressing ransomware.
The report analyzed ransomware mitigation methods in 4 vital infrastructure sectors – vital manufacturing, vitality, healthcare and public well being, and transportation.
Although most federal companies main and managing threat for these sectors have assessed or plan to evaluate dangers related to ransomware, they haven’t absolutely evaluated using main cybersecurity practices or whether or not federal assist has successfully mitigated dangers in these sectors.
The report comes as ransomware assaults have surged prior to now 12 months, with outstanding vitality and water corporations being focused firstly of 2024.
The White House’s National Cybersecurity Strategy, unveiled in 2023, goals to strengthen the cyber resilience of vital industries.
Lack of Assessment of Ransomware Protection Measures
In February 2022, NIST developed a cybersecurity framework for managing ransomware threat, however not one of the Sector Risk Management Agencies (SRMAs) assessed by the GAO have decided the extent of adoption of this framework as advisable by the National Infrastructure Protection Plan (NIPP).
The report additionally highlighted that the seven units of practices recognized to handle ransomware didn’t absolutely align with main federal practices established by NIST, and plenty of companies and officers in vital sectors weren’t conversant in NIST’s ransomware profile.
Improving Oversight of Ransomware Protection in Critical Infrastructure
The GAO made 11 suggestions for the 4 SRMAs to enhance the federal authorities’s oversight of the adoption of particular ransomware protections in vital infrastructure sectors.
The Department of Homeland Security (DHS) and Department of Health and Human Services (HHS) agreed with the suggestions, whereas the Department of Energy (DOE) and Department of Transportation (DOT) partially agreed and disagreed with some suggestions.
“This scenario additionally highlights the necessity for a extra coordinated strategy throughout companies and a requirement for a deeper degree of evaluation to strengthen the operational resilience of vital infrastructure towards cybersecurity threats,” mentioned Cooper.