Continued efforts needed to protect information systems from evolving threats

Thursday - 10/21/2010, 1:23pm EDT

WFED's Francis Rose talks with Gregory Wilshusen, Director, Information Security Issues, GAO

Click below to hear the interview

Download mp3

By Greg Wilshusen
Government Accountability Office

Pervasive and sustained cyber attacks continue to pose a potentially devastating threat to the systems and operations of the federal government. And federal agencies face many challenges in combating this threat.

Cyber-based threats are evolving and growing. Cyber-based threats to federal systems and critical infrastructure can be unintentional or intentional, targeted or non-targeted, and can come from a variety of sources.

Unintentional threats can be caused by inattentive or untrained employees, software upgrades, and equipment failures that inadvertently disrupt systems or corrupt data. Intentional threats include both targeted and non-targeted attacks.

A targeted attack is when a group or individual attacks a specific system, person, or cyber-based critical infrastructure. A non-targeted attack occurs when the intended target of the attack is uncertain, such as when a virus, worm, or other malicious software is released on the Internet with no specific target.

Potential attackers such as foreign nations, criminals, terrorists, hackers, and disgruntled employees have a variety of techniques at their disposal, which can vastly enhance the reach and impact of their actions. For example, cyber attackers do not need to be physically close to their targets, their attacks can easily cross state and national borders, and cyber attackers can more easily preserve their anonymity. Further, the growing inter-connectivity between information systems, the Internet, and other infrastructure presents additional avenues for such attacks.

Reported security incidents are on the rise. The number of incidents reported by federal agencies has skyrocketed over the past 4 years, jumping from about 5,500 incidents in fiscal year 2006 to about 30,000 in fiscal year 2009 (about a 440 percent increase).

These incidents put sensitive information at risk. Personally identifiable information about Americans has been lost, stolen, or improperly disclosed, thereby potentially exposing those individuals to loss of privacy, identity theft, and financial crimes. Reported attacks and unintentional incidents involving critical infrastructure systems demonstrate that a serious attack could be devastating. The growing threats and incidents underscore the need for effective information security policies and practices.

Vulnerabilities pervade federal information systems. Serious and widespread information security control deficiencies continue to place federal assets at undue risk of inadvertent or deliberate misuse, sensitive information at risk of inappropriate disclosure or unauthorized modification or destruction, and critical operations at risk of disruption. As illustrated below, most major federal agencies have weaknesses in most of the key information security control areas.

Over the last several years, our audits have consistently determined that most agencies have not sufficiently implemented controls to prevent, limit, or detect unauthorized access to computer networks, systems, or information. For example, 21 of 24 major federal agencies reported that inadequate IT system controls were a significant deficiency or material weakness for financial reporting purposes in fiscal year 2009. An underlying cause of these weaknesses is agencies' failure to fully or effectively implement information security management programs, which entail assessing and managing risk, developing and implementing security policies and procedures, promoting security awareness and training, monitoring the adequacy of security controls, and implementing appropriate remedial actions.

However, multiple opportunities exist to bolster cybersecurity. Federal agencies and the Administration can take a number of steps to better protect federal systems and cyber-based critical infrastructure.

  • Implement GAO and IG recommendations. In light of weaknesses in agencies' information security practices and controls, GAO and inspectors general have made hundreds of recommendations to mitigate identified deficiencies and improve security, many of which agencies are implementing.
  • Implement government-wide cybersecurity initiatives. The White House and the Office of Management and Budget, collaborating with other agencies, have launched several initiatives, such as the Comprehensive National Cybersecurity Initiative, Federal Desktop Core Configuration, Einstein, and Trusted Internet Connections, that are aimed at improving aspects of federal cybersecurity.
  • DHS needs to fully satisfy its cybersecurity responsibilities. The Department of Homeland Security, which plays a key role in coordinating cybersecurity activities with the private sector, also needs to fulfill its responsibilities, such as developing capabilities for protecting cyber-reliant critical infrastructures and implementing lessons learned from a major cyber simulation exercise. In addition, DHS will need to build its capabilities to effectively execute its recently assigned responsibilities within the executive branch for operational aspects of federal agency cybersecurity.
  • Update the national cybersecurity strategy. GAO has testified on the need to improve the nation's cybersecurity strategy. A panel of experts convened by GAO made several recommendations for improving the strategy that in their view are essential to improving the strategy and our national cybersecurity posture.

Although not a comprehensive list, realizing these opportunities for improvement can help ensure that the federal government's systems, information, and critical cyber-reliant infrastructure are better protected.

Greg Wilshusen is the Director of Information Technology at the Government Accountability Office.