Agency cybersecurity deficiencies remain as attacks reach all-time high

Friday - 3/8/2013, 10:06am EST

Jason Miller, executive editor, Federal News Radio

Download mp3

Hackers tried to breach federal networks more than 48,000 times in 2012, and those are just the ones agencies knew about and reported to the U.S. Computer Emergency Readiness Team (US-CERT), run by the Homeland Security Department.

These attacks against agencies, which reached an all-time high last year, come as the Government Accountability Office continues to find agencies are not prepared for this constantly growing cyber assault.

But it's not just a matter of total incidents. It's well known the variety of attacks and the sophistication of hackers also are increasing.

GAO found improper usage, malicious code, and unauthorized access were the most widely reported types of attacks across the government.

"This is why we've been designating information security as a high risk area since 1997 is because of agencies, I wouldn't say their inability, but their lack of meaningful success in securing their systems and meeting many of the requirements for securing their systems," said Greg Wilshusen, GAO's director of information security issues, Thursday during a hearing on cybersecurity of the Senate Homeland Security and Governmental Affairs Committee.

GAO released a whole set of statistics about agency cybersecurity progress ahead of the Office of Management and Budget's annual report to Congress on the government's progress in implementing the Federal Information Security Management Act (FISMA).

Where's the FISMA report?

In fact, Sen. Tom Coburn (R-Okla.), ranking member of the committee, said he was disappointed OMB didn't release the FISMA report before the hearing.

"There's no reason for it other than it shows significant criticism of our ability to manage critical information within the federal government," he said. "I will apologize to them vociferously if, in fact, my assessment of that report [is wrong]. But not to put it out before this hearing is absolutely ridiculous because we all know, and GAO will testify today what we all know, is the status within our own government of how we are doing. It's unfortunate that we've chosen not to have a critical piece of information that analyzes a report on us for this hearing."

OMB typically releases the FISMA report in March, but there is no set date for when it comes out.

"The administration appreciates the importance of the FISMA report, and is working to provide it to Congress as expeditiously as possible," an OMB spokeswoman said by email in response to Coburn's criticism.

No matter when OMB finally releases the annual report, expected sometime in March, agency progress toward securing their systems will continue at a slow pace.

GAO found that not only did the number of incidents reported to U.S. CERT increase to more than 48,000 in 2012 from more than 42,000 in 2011, more than 41,000 in 2010 and almost 30,000 in 2009, but what agencies are doing about those attacks is lacking.

Auditors say 19 of 24 major federal agencies reported that information security control deficiencies were either a material weakness or significant deficiency in internal controls over financial reporting.

Further, inspectors general at 22 of 24 agencies cited information security as a major management challenge for their agency.

GAO also found that most of the 24 major agencies had information security weaknesses in most of five key control categories:

  • Implementing agencywide information security management programs that are critical to identifying control deficiencies

  • Resolving problems and managing risks on an ongoing basis

  • Limiting, preventing and detecting inappropriate access to computer resources

  • Managing the configuration of software and hardware

  • Segregating duties to ensure that a single individual does not control all key aspects of a computer-related operation

  • Planning for continuity of operations in the event of a disaster or disruption.

"It's not an easy job in terms of implementing effective security over time because the environment is constantly changing, new technologies are being implemented into the computing environment, the threats are becoming more sophisticated and business practices at changing," Wilshusen said. "But at the same time, agencies need to implement the appropriate processes to assess their risk and, then based on that risk, select the appropriate controls to cost-effectively reduce those risks to an acceptable level, and then ensure those controls are effectively implemented, tested and assure they remain appropriate."

While much of the hearing focused on the Cyber Executive Order President Obama issued last month, the desire to update FISMA crept into the discussion. The Senate's comprehensive cybersecurity bill that failed last session included an update to the 10-year-old FISMA law. The House also passed a separate bill to revise FISMA, but the Senate didn't consider the legislation.