GAO, government accountability office
© unknown
Reports of network security incidents at federal agencies have soared 650 percent during the past half-decade, jeopardizing the confidentiality and integrity of sensitive government information, federal auditors charged in a congressionally mandated report.

The most prevalent types of cyber events included infections from malicious code -- 30 percent of incidents; violations of acceptable use policies; and intrusions into networks, applications and other data resources, states a Government Accountability Office report released on Monday. GAO auditors are required by law to periodically update Congress on departments' compliance with a computer security measure called the 2002 Federal Information Security Act, or FISMA.

During the past five years, the number of reported events has grown from 5,503 in 2006 to 41,776 in 2010.

The main reason agency computers are vulnerable to contamination is departments have failed to implement security controls, according to the audit. Agencies do not always adequately train personnel responsible for system security, regularly monitor safeguards, successfully fix vulnerabilities or resolve incidents in a timely fashion.

"These shortcomings leave federal agencies vulnerable to external as well as internal threats," wrote Gregory C. Wilshusen, GAO director for information security issues. "As long as agencies have not fully and effectively implemented their information security programs, including addressing the hundreds of recommendations that we and inspectors general have made, federal systems will remain at increased risk of attack or compromise."

The assessment cited a recent audit that found IRS has neglected to block employees from using databases they aren't required to access for their jobs.

"As a result, financial and taxpayer information remain unnecessarily vulnerable to insider threats and at increased risk of unauthorized disclosure, modification, or destruction," Monday's report states.

The analysis was based on information security-related reports and data from 24 major federal agencies and their federal overseers collected between September 2010 and October 2011.

One security breach involved a network user who was duped by a targeted email into visiting a malicious website. He navigated to the site "on the pretense that he had won a new car in a lottery he supposedly entered by answering some simple questions about his pets. Later, he found that several credit cards had been opened in his name and large amounts of pet supplies had been ordered without his knowledge," the report explains.

For years, GAO has designated cybersecurity as a high-risk area for the federal government because agencies do not have information security programs or plans for managing risk. FISMA requires that such plans include security policies, security awareness training and surveillance of computer safeguards. "Of the 24 major agencies, none had fully or effectively implemented an agencywide information security program," the report states.

While agencies have taken steps to shift from annual reviews of system controls to automated, continuous monitoring, 17 out of the 24 agencies had not finished transitioning to this form of real-time surveillance. The Office of Management and Budget recently developed new metrics for gauging departmentwide security posture. But all but one of the measures failed to include performance targets that would allow agencies to track progress over time. For instance, one item asks agencies to document the average time it takes to detect and recover from an incident, but does not provide a yardstick for monitoring improvement.

OMB officials told GAO that targets were not mentioned because they are set by separate memorandums and federal standards. In Monday's report, GAO officials said such communications are insufficient and performance targets should be listed in annual FISMA instructions.

The auditors and OMB officials agreed that going forward the Department of Homeland Security, which oversees federal cyber operations, will include thresholds in its yearly FISMA directions.

"DHS will continue to support its federal agency partners as they improve their individual cybersecurity postures and the posture of the federal enterprise as a whole," wrote Jim Crumpacker, director of Homeland Security's GAO-OIG liaison office in a Sept. 16 letter responding to a draft report.

Legislation to strengthen FISMA through required continuous monitoring and expanded DHS powers is pending in the Senate as part of an expected national cybersecurity bill.

"GAO reports that the federal government must do a whole lot more to ensure the integrity of its information and information systems," Sen. Joe Lieberman, I-Conn., author of the measure, S. 413, and chairman of the Senate Homeland Security and Governmental Affairs committee said in a statement. "Reports of security incidents have risen 650 percent in the past five years -- an increase that demonstrates that federal systems will remain prime targets for the foreseeable future."

Ranking Republican Sen. Susan Collins, R-Maine, a co-sponsor, added, "There is perhaps no greater vulnerability that Congress has yet to address through legislation than the insecurity of cyberspace . . . Reform legislation continues to languish. This simply cannot continue because the stakes are far too high."

On Monday, a House Republican task force was expected to deliver to Speaker John Boehner, R-Ohio, recommendations for FISMA changes, as well as other sweeping U.S. network security reforms.