GAO – Stronger Cybersecurity Controls Needed

It’s hardly a secret that Federal systems experience cyber-based threats. While some are targeted attacks, others are unintentional and linked to events such as equipment failure. Managers are understandably concerned, given that reported information security incidents have risen from 5,503 in fiscal year (FY) 2006 to 67,168 for FY 2014, according to the Government Accountability Office (GAO).

For several years the GAO has designated information security and computer systems supporting National infrastructure as high-risk areas. The GAO recently expanded these high-risk areas to encompass protecting privacy and personally identifiable information (PPI) which is collected, maintained and shared by Federal agencies and bodies outside of government.

GAO conducted a comprehensive evaluation of Federal cybersecurity issues and recently testified on the Agency’s findings before Congress. The Agency’s statement summarized:

  • Cyber issues threatening Federal systems
  • Challenges for agencies trying to secure information and systems
  • Initiatives across the Federal Government to improve cybersecurity

The Nature of Cyber-based Threats

Federal assets can become at risk from either intentional or unintentional threats. Intentional threats may be targeted or untargeted and come from sources with different capabilities, motives, willingness to act, monetary bases, military concerns, political aspirations or economic motivation.

In 2014 and 2015, five agencies reported incidents. An Office of Personnel Management (OPM) systems intrusion affected personnel data of approximately 4 million Federal workers and former employees. The Internal Revenue Service (IRS) cited unauthorized access to information related to approximately 100,000 taxpayer accounts. The Department of Veterans Affairs (VA) indicated that two contractors used personal equipment to gain unauthorized access to the Agency’s network from overseas locations. The U.S. Postal Service (USPS) reported a cyber-intrusion that could have compromised personally identifiable information (PII) of approximately 800,000 employees.

Common adversaries, GAO notes, include:

  • Bot-network operators
  • Criminal groups
  • Hackers and hacktivists
  • Insiders
  • Nations
  • Terrorists

Any adversary could use a combination of tactics. The most common types of cyber exploits include:

  • Cross-site scripting
  • Denial-of-service attacks
  • Malware
  • Phishing and spear phishing
  • Spamming
  • Passive wiretapping
  • Spoofing
  • Structured Query Language injection
  • Zero-day exploitation
  • War driving

Cyber-attacks are particularly problematic because they do not require physical proximity to intended victims, can target multiple victims at the same time, can occur very quickly and easily permit perpetrators to remain anonymous. All of these factors, combined with steadily advancing sophistication of technology, appeal to adversaries targeting both Federal agencies and the contractors supporting them.

Agency Challenges

GAO worked in conjunction with agency inspector generals to name specific agency challenges to safeguarding Federal systems and information that must be overcome to lower the risk of compromise from cyber-based attacks or other types of threats. Specifically cited were:

  • Designing and implementing cybersecurity programs that are risk-based
  • Increasing information technology (IT) contractor oversight
  • Improving response activities related to security incidents
  • Issuing guidance for responding to agency PII breaches
  • Launching security programs for small agencies

Government-wide Initiatives

GAO indicated that beyond efforts of individual agencies, the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) have undertaken a number of initiatives to boost cybersecurity Government-wide.

  • Personal identity verification was launched in 2004 and mandated reliable types of identification for Federal employees and contractors with certain types of access to facilities and information systems. Agencies have had mixed results implementing “smart cards.” DHS has taken action to implement GAO recommendations for overcoming obstacles with this program.
  • Continuous Diagnostics and Mitigation (CDM), is an initiative to assist agencies in identifying cybersecurity risks in an ongoing manner, prioritize them according to potential impact and allow personnel to address the most outstanding issues first; they include sensors and alerts for network managers.
  • National Cybersecurity Protection System, also known as NCPS or EINSTEIN, is a capability suite created to find malicious network traffic and stop it from entering and leaving federal civilian agency networks. The GAO is currently reviewing the results of NCPS implementation.

The Bottom Line

Both agency-specific and Government-wide initiatives have been undertaken to meet cybersecurity threats. However, GAO emphasizes that no single technology or set of procedures is sufficient to protect the Federal Government against all possible threats.

The key to meeting this challenge is an in-depth strategy that provides for personnel who are well trained, processes that are consistently applied and effective, and technologies that are appropriately implemented. Although agencies already have pieces of such a strategy, much work is required to fully implement initiatives and fix known weaknesses. Agencies can boost their ability to protect against devastating attacks by continuing to implement GAO and agency inspector general recommendations.

FacebooktwitterredditpinterestlinkedinmailFacebooktwitterredditpinterestlinkedinmailby feather