Major Cybersecurity Gaps Plague Federal Agencies, GAO Report Says
Federal agencies must do more to fortify their cybernetworks from attacks, said Senate Homeland Security Committee Chairman Joe Lieberman, I-Conn., Ranking Member Susan Collins, R-Maine, and Sen. Tom Carper, D-Del. In a joint statement Monday, they cited a GAO report that said federal agencies’ cybernetworks have significant weaknesses due to their failure to implement information security programs. “There is perhaps no greater vulnerability that Congress has yet to address through legislation than the insecurity of cyberspace,” Collins said. “Today’s report points out too many serious vulnerabilities. We must fortify the government’s efforts to safeguard its own cyber networks from attack and build a public/private partnership to promote stronger national cyber-security.”
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Overall, 19 federal agencies reported poor security controls, which they classified as either a “material weakness” or a “significant deficiency,” the report said. The Federal Deposit Insurance Corp. and the National Archives and Records Administration failed to implement access controls to protect the confidentiality, integrity, and availability of their information systems, GAO said. The Internal Revenue Service has “made progress” in correcting previously reported security weaknesses, the report said, “but a significant number of them remained unresolved or unmitigated.” The report did not rank the cybersecurity postures of specific agencies but did acknowledge the positive efforts made by the Department of Homeland Security to secure information systems at the agency level.
The GAO report said 24 federal agencies have “major weaknesses” in their cybersecurity policies, and many agencies are still not compliant with Federal Information Security Management Act (FISMA) requirements. In 2010 there were 41,776 security incidents at federal agencies, a 650 percent increase over the past five years. Incidents that involved malicious code stemming from a virus, worm or Trojan software program were the most prevalent incidents reported by federal cybersecurity officers in 2010. “An underlying cause for information security weaknesses identified at federal agencies is that they have not yet fully or effectively implemented an agency-wide information security program,” the report said.
Federal agencies need to bolster access controls of their information systems and improve identification and authentication, authorization, cryptography, audit and monitoring, boundary protection and physical security, the report said. Agencies must ensure proper configuration management, segregation of duties, and continuity of operations, the report said. “As long as agencies have not fully and effectively implemented their information security programs … federal systems will remain at increased risk of attack or compromise.”
The increase in attacks “demonstrates that federal systems will remain prime targets for the foreseeable future,” said Lieberman. Carper believes that “these findings are all the more troubling given that GAO has been telling us for some time that these are areas of vulnerability and must be addressed, yet we still haven’t made enough progress in shoring up these obvious weaknesses,” that senator said. “Federal agencies need to fully implement meaningful security programs that can withstand the serious cyber challenges we face today and will face for the foreseeable future."
Collins, Carper and Lieberman are sponsors of S-413, the Cybersecurity and Internet Freedom Act, which would increase federal cybersecurity coordination and provide better monitoring detection and response capabilities. The legislation is being considered by several Senate committees including Homeland Security, Commerce, Intelligence, Foreign Relations, and Judiciary, and could be incorporated into the pending cybersecurity bill by Senate Majority Leader Harry Reid, D-Nev.