Major Federal Agencies Reported Inadequate Information Security Controls in 2011, Says GAO
Eighteen out of 24 major federal agencies reported inadequate information security controls for financial reporting for fiscal 2011 and inspectors general at 22 of these agencies cited information security as a major management challenge for their agency, the House Subcommittee on Oversight, Investigations, and Management was told Tuesday. Assessments of information security controls in 2011 showed that most major agencies had weaknesses in most major categories of information system controls, Gregory Wilshusen, director of information security issues at the GAO, told a committee hearing on cybersecurity and the need for urgent action.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
The GAO has found vulnerabilities in systems that monitor and control sensitive processes and physical functions supporting critical infrastructure, he said. These weaknesses could be exploited by “threat actors, with potentially severe effects,” he said. Over the past six years, the number of cybersecurity incidents reported by federal agencies has increased by nearly 680 percent, he said. The number of incidents reported increased from 5,503 in 2006 to 42,887 in 2011, he said.
Saying the “potential of cyber attacks is frightening,” Committee Chairman Michael McCaul, R-Texas, sought quick action to protect the nation’s critical infrastructure. The Stuxnet worm launched against the Iranian nuclear program is “so devious in its use of computer vulnerabilities with such a multi-pronged approach that the Iranians had no idea they were attacked,” he said. “Such a successful attack against the United States with viruses designed to manipulate, bring down industrial control systems, could cause devastating human and economic losses."
McCaul said the GOP leadership did not bring HR-3624, the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness (PrECISE) Act, to the House floor for a vote this week because it did not get a “bipartisan vote” in the Homeland Security Committee. House Homeland Security Committee Ranking Member Bennie Thompson, D-Miss., said the GOP leadership’s failure to bring the measure to a vote was a “missed opportunity” to take “urgent action.” While the bill wasn’t perfect, it did take a “number of steps in the right direction” and would have strengthened the nation’s cybersecurity, he said. McCaul said he was willing to work with Thompson to send a “more bipartisan bill to the House floor."
The nation’s cyber adversaries are “persistent,” and it won’t suffice to stop their attacks once or twice, said Shawn Henry, former FBI executive assistant director. The issue with existing technologies and threat mitigation tactics is that they are “too focused on adversary tools” such as malware and “exploits” and not on “who the adversary is and how they operate,” he said. Unless the focus is on the “enemy” and the fight is taken to them “to raise their cost of attack, we will fail because they will always get through.” Intelligence sharing is critical in the fight, he said.