This past summer, the largest cybersecurity attack ever against a federal agency compromised the sensitive personal information of more than 21.5 million people in the United States. That incident and other recent cybersecurity attacks illustrate the dangers of weak cybersecurity practices by government agencies.
Following a recent audit of twenty-four federal agencies’ security practices, the U.S. Government Accountability Office (GAO) determined that government agencies need to correct current weaknesses in security practices and implement previous security recommendations and requirements in order to strengthen their cybersecurity. As the government relies increasingly on internet connectivity, it must bolster its security practices to protect vital information and operations.
The GAO report focused on government cybersecurity programs in 2013 and 2014 and identified five key areas of weakness. Twenty-two agencies reported problems in securing access controls, the controls used to protect computer resources from inappropriate access. In either 2013 or 2014, every agency reported problems ensuring that it only used properly updated and tested software. Over half of the interviewed agencies allowed individuals to access too many key parts of an operation. Eighteen agencies had not developed contingency plans for maintaining operations during some type of disruption, such as a natural disaster or security breach. Finally, almost no agency had implemented an agency-wide security program to assess and manage security policies.
The GAO also found that the number of security incidents reported by federal agencies has increased drastically. The number of incidents affecting systems operations in federal agencies increased more than one thousand percent from 2006 to 2014. Similarly, the number of incidents compromising individuals’ personal information doubled between 2009 and 2014.
As a result of the rise of cybersecurity incidents, the federal government has established a large number of programs designed to help agencies protect their secure data. For example, following the breach of 21.5 million individuals’ personal information earlier this year, the government created a 30-day “cybersecurity sprint” requiring federal agencies to take immediate action, including patching vulnerabilities and tightening policies. The GAO report suggested that successfully implementing all of the steps contemplated under the “sprint” initiative and other similar programs will greatly improve cybersecurity practices throughout the government.
The GAO’s recent report is not the first time that the auditor has reviewed the federal government’s cybersecurity practices. The GAO has previously issued hundreds of recommendations to various agencies about how to strengthen their security practices. However, the GAO’s latest study indicates that many of those previous recommendations still remain to be implemented. For example, the GAO found that the Internal Revenue Service (IRS) had not implemented fifty-one specific security recommendations that the GAO had previously given to the IRS.
The GAO also analyzed agencies’ implementation of the Federal Information Security Management Act of 2002 (FISMA), which requires agencies to assess their own risk factors and conduct risk management activities, such as developing a security plan.
Less than two-thirds of the agencies covered in the GAO report had fully assessed their risk factors during 2013 and 2014. The GAO also found a decrease in the number of agencies with an appropriate security plan, the required security training to employees, sufficient periodic testing and continuous monitoring, and implementation of an adequate contingency plan. However, it did find that more agencies developed security policies consistent with the FISMA requirements and began to implement remediation programs addressing security flaws. Still, the GAO reported significant weaknesses in these areas as well.
Federal law requires that the Office of Management Budget and the Department of Homeland Security provide guidance to agencies about enhancing their cybersecurity and reporting compliance. The GAO found that this guidance to agencies was often incomplete or unclear. Furthermore, inconsistencies in reporting between inspectors general of various agencies were common. The GAO recommended developing metrics for FISMA reporting in order to ensure that agencies provide uniform information to facilitate better comparisons.
Ultimately, the GAO concluded that federal agencies continue to have deficient cybersecurity programs that place the agencies and their information at risk. Although agencies improved in fulfilling some FISMA requirements, other requirements remain unimplemented, according to the GAO.
Moving forward, the GAO recommends that the Office of Management Budget enhance its guidance so that agencies’ reports about their performance will become more consistent. The GAO also recommends that agencies actually implement all of the security requirements required by law as well as all of GAO’s previous cybersecurity recommendations.