After Problem Discovered, Collaboration with FDA Key to Protecting from Cyber Threats
Today, the committee released a new report from the nonpartisan Government Accountability Office (GAO). The watchdog’s report, “FDA Needs to Rectify Control Weaknesses That Place Industry and Public Health Data at Risk,” is the result of a request initiated by full committee Chairman Fred Upton (R-MI), Health Subcommittee Chairman Joseph Pitts (R-PA), and Oversight and Investigations Subcommittee Chairman Tim Murphy (R-PA). The security of information held and managed by FDA is far better today because of collaboration with the committee and independent auditors, and can serve as a model for future Congress-agency interaction across the government in fortifying cybersecurity.
Independent Audit Requested
In the course of its work, FDA receives and uses a large volume of important non-public information. Because of this, in February 2015, GAO initiated for the committee an evaluation of the integrity of FDA’s management of electronic information. This audit was part of a larger series of audits looking into cybersecurity at the HHS. Committee leaders requested the independent audits in December 2013 to ensure that HHS was able to keep the sensitive information it holds safe.
Vulnerability Identified – E&C and FDA Collaborate to Fix the Problem
In late January 2016, GAO auditors provided committee staff an update on the cybersecurity audit they were performing at FDA as part of the committee’s request. At that briefing, GAO informed committee staff that a potentially serious vulnerability had been found in FDA’s network controls, one that could place the information and data in FDA’s possession at severe risk if exploited. The committee considered the vulnerability too serious to leave unaddressed while GAO completed its work, and determined that something needed to be done immediately.
Open Lines of Communication Ensured Swift Action
The committee alerted FDA quickly, and they confirmed and addressed the vulnerability. However, that vulnerability, while significant, was only one of many identified by GAO and communicated to committee staff. Continued work and oversight was necessary. Over the next several months, as GAO completed its work, the committee, working with GAO, ensured that FDA was fully aware of any serious vulnerabilities identified so that it could take appropriate action. The committee also asked FDA for a specific plan and schedule for addressing identified issues, and further asked FDA to engage the United States Computer Emergency Readiness Team (US-CERT) to search FDA’s network for any signs of compromise or unauthorized activity.
FDA’s Cybersecurity Posture Rapidly Improved
Throughout this process, bipartisan committee staff engaged in regular briefings with both GAO and FDA, receiving updates on FDA’s efforts to address the issues identified in the GAO audit, as well as larger cybersecurity concerns across the entirety of the agency. FDA briefed the committee staff, and the staff provided feedback, which FDA was quick to assimilate into its ongoing remediation effort. Finally, and importantly, the US-CERT assessment has not found to date evidence of compromise or unauthorized activity.
The course of action taken by the committee was one of robust collaboration that proved successful. The committee was able to focus FDA’s priority on cybersecurity issues and encourage the prompt improvement of the security of FDA’s network. FDA used both GAO’s work and the committee’s attention to tighten up its network controls quickly and improve its overall cybersecurity posture.
Robust Collaboration Proves Successful
The committee believes this collaborative process provides a model for further collaboration with federal agencies on cybersecurity issues. The committee also believes that it was preferable to standard Congressional practices of public letters and hearings calling security officials to account.
When dealing with a complex cybersecurity challenge such as the one identified by GAO’s audit, the committee did not believe a public Congressional “hammer” would be the most effective or productive tool to safeguard systems. Given the circumstances, committee staff was concerned that these traditional Congressional responses might well place FDA at increased risk by publicly exposing the vulnerability before it was addressed and otherwise distract from addressing the situation.
FDA Cybersecurity Better Today
While the committee continues to monitor FDA’s progress, the fact remains that FDA’s cybersecurity posture today as compared to when GAO first informed the committee about the vulnerabilities is much improved. The collaborative effort undertaken by all parties involved helped resolve the problem faster, more efficiently, and more effectively than more traditional means.
If we are to protect the valuable information and data held by agencies and organizations across the government, it will require an all-hands-on-deck effort by the executive and legislative branches. Perhaps this collaborative process undertaken by the committee, GAO, and FDA may serve as a model for future cybersecurity oversight.
To read a copy of the report, click HERE.