See if you can guess when this was written:\n\n\u201cWhen the government purchases products or services with inadequate in-built cybersecurity, the risks persist throughout the lifespan of the item purchased. The lasting effect of inadequate cybersecurity in acquired items is part of what makes acquisition reform so important to achieving cybersecurity and resiliency.\u201d\n\n\u201cPurchasing products and services that have appropriate cybersecurity designed and built-in may have a higher up-front cost in some cases, but doing so reduces total cost of ownership ...\u201d\n\nIt sounds like it could easily have come from President Biden\u2019s May 2021 Executive Order on Improving the Nation\u2019s Cybersecurity. Or perhaps his much more recent National Cybersecurity Strategy released just two months ago. Both documents call for acquisition reform\u2014using the federal government\u2019s purchasing power to force improvements in the security of software products, especially those used in critical infrastructure.\n\nBut no. Those declarations were from nearly a decade ago during the Obama presidency\u2014they are the opening lines of a November 2013 report by the Department of Defense and the General Services Administration titled Improving Cybersecurity and Resilience through Acquisition.\n\nThat raises an obvious question: Why does the Biden administration still need to call for acquisition reform?\n\nThe answer is also obvious: Because it hasn\u2019t happened yet. This could help explain several recent reports from the federal General Accounting Office (GAO) noting that nearly 60% of 335 cybersecurity recommendations it has made for federal agencies since 2010 have not been implemented.\n\nIt actually goes well beyond that. Marisol Cruz Cain director with the GAO\u2019s Information Technology and Cybersecurity Team, said that \u201csince 2010, we have made more than 4,000 recommendations to agencies aimed at addressing cybersecurity challenges facing the government. More than 670 of these recommendations have been made since the last high-risk update in 2021. As of February 2023, more than 850 recommendations had not been fully implemented, including 52 of 133 priority recommendations.\u201d\n\nIn the specific area of supply chain risk management (SCRM), which acquisition reform would address, the GAO reported that of 23 agencies reviewed in 2020, none had fully implemented all seven \u201cfoundational practices\u201d of SCRM and 14 had implemented none of them. \n\nThose practices include:\n\nIt\u2019s a stark illustration of the gulf between aspiration and reality. Government entities ranging from agency watchdogs like the GAO to presidents can issue exhortations, recommendations\u2014even orders\u2014but that doesn\u2019t guarantee they\u2019ll get done, even if they really need to get done, and better cybersecurity falls into that category. Presidents and members of Congress come and go, after all, while the bureaucracy is about as close as it gets on Earth to eternal life.\n\nStill, it\u2019s ironic that while there is bipartisan support in Congress, at least in theory, for improving cybersecurity, a lot of the details aren\u2019t getting done.\n\nWhy? Because when it comes to incentives, there\u2019s not much of a carrot (budget) or a stick (consequences).\n\nCain said most GAO recommendations are addressed to executive branch agencies, which then have the primary responsibility for implementing them. She added that most of those agencies agree with the recommendations and that \u201cCongress frequently holds hearings to oversee agencies\u2019 progress in implementing our recommendations\u2014particularly where Congress is not satisfied with progress toward implementing them.\u201d\n\nBut ultimately, she said, \u201cThere are no consequences for failure to implement a GAO recommendation.\u201d\n\nAnd when there are no consequences, recommendations logically become a lower priority.\n\nEmile Monette, director of government contracts and value chain security with Synopsys, knows all about inertia within government, even on problems that need to be addressed aggressively\u2014he is a co-author of that 2013 report cited above.\n\n\u201cMost often the agencies are not provided with an additional budget to implement the recommendations, so there are tough internal choices to make about which thing to stop doing so you can do the things the GAO recommended,\u201d he said, adding that the recently released Biden strategy document \u201cdoesn\u2019t include resources or measures of effectiveness as the GAO recommends.\u201d\n\nMonette said Congress has the power at least to apply pressure on agencies that fail to implement GAO recommendations.\n\n\u201cWhen the GAO reports back to the congressional sponsors that the agencies aren\u2019t complying with recommendations, the members have two options, which are the two things Congress can do other than legislate\u2014reduce or add to a budget and conduct oversight hearings,\u201d he said.\n\nBut political longevity is a factor in that as well. Agency heads are political appointees, not career civil servants, so are rarely around for more than a few years. And members of Congress are forever in campaign mode, so they also want to focus on problems that can be resolved quickly.\n\nWhatever the reasons, the failure of any comprehensive response to the GAO recommendations puts the nation at risk of what Monette calls \u201call the same bad things we talk about all the time\u2014zero-days, unmitigated known vulnerabilities, poor code quality, mismanagement of FOSS [free and open source software], counterfeits, etc.\u201d\n\nOr as Cain put it, \u201cAll these recommendations are important and it\u2019s critical that agencies work to implement them. They represent vulnerabilities that could be exploited to carry out devastating cyberattacks.\u201d\n\nShe said those could include disruption of critical systems, theft of sensitive information, and threats to economic and national security. \u201cWe\u2019ve seen examples of these threats in the SolarWinds hack in late 2020, the Colonial Pipeline shutdown in 2021,\u201d she said. Not to mention the catastrophic breach of the federal Office of Personnel Management in 2015 that compromised the personal information of more than 22 million current and former federal employees.\n\nThe only way to move the needle, Monette said, would be for Congress to get more aggressive. But that, he said, is unlikely. The only consequences, he said, tend to be \u201cjust the tongue-lashing, sound-bite punishment of agency political appointees by members of Congress. Rarely does anyone lose their job or get subjected to any other punitive actions.\u201d\n\nDon Davidson, director of cyber SCRM programs at Synopsys and also a co-author of the 2013 report, is also familiar with good intentions ending up on the shelf.\n\nThere does appear to be some EO & GAO deja vu here,\u201d he said. \u201cSame findings and recommendations\u2014repeat with little or no corrective action\u2014looks like a leadership challenge to put your money where your mouth is.\u201d\n\nTo learn more about Synopsys, visit us here.