Why GAO Did This Study Cyber-based intrusions and attacks on federal systems and systems supporting our nations critical infrastructure such as communicationsand financial services are evolving and becoming more sophisticated GAO first designated informationsecurity as a government-wide highrisk area in 1997 This was expanded to include the protection of cybercritical infrastructure in 2003 and protecting the privacy of personally identifiable information in 2015.