When it comes to our nation's information systems and cyber infrastructures, the hackers never stop trying to smash it and the government should never stop trying to protect it. But while threats to information systems are evolving, federal information systems in particular are not keeping up to consistently thwart threats.
That was part of the conclusion reached in a report issued this week by watchdogs at the Government Accountability Office, which concluded that serious and widespread information security control deficiencies continue to place federal assets at risk of inadvertent or deliberate misuse, financial information in jeopardy of unauthorized modification or destruction, sensitive information at risk of inappropriate disclosure and the threat of critical operations disruption.
And threats there are aplenty: the number of incidents reported by federal agencies to US-CERT has increased over the past 4 years, from 5,503 incidents reported in fiscal year 2006 to about 30,000 incidents in fiscal year 2009, or over 400%, the GAO stated.
The biggest security problems fall into four areas, the GAO stated: malicious code; improper usage or a violation of acceptable computing use policies; unauthorized access and unconfirmed incidents that are potentially malicious or anomalous activity.
According to he GAO there are efforts underway to lock down security but there are four projects in particular that need constant pressure to succeed.
- Comprehensive National Cybersecurity Initiative (CNCI): The initiative is intended to reduce vulnerabilities, protect against intrusions, and anticipate future threats against federal executive branch information systems. The GAO said the White House and federal agencies have established interagency groups to plan and coordinate CNCI activities. However, the initiative faces challenges in achieving its objectives related to securing federal information, including better defining agency roles and responsibilities, establishing measures of effectiveness, and establishing an appropriate level of transparency. Until these challenges are adequately addressed, there is a risk that CNCI will not fully achieve its goals, the GAO stated.
- Federal Desktop Core Configuration (FDCC): Here, the Office of Management and Budget directed agencies that have workstations with Windows XP and/or Windows Vista operating systems to adopt security configurations developed by the National Institute of Standards and Technology, the Department of Defense, and DHS. The goal of this initiative is to improve information security and reduce overall information technology operating costs. The GAO recently reported that while agencies have taken actions to implement FDCC requirements, none of the agencies has fully implemented all configuration settings on their applicable workstations. The GAO recommended that OMB, assess the risks of agencies having deviations from the approved settings and monitoring compliance with FDCC.
- Einstein: The computer network intrusion detection system that analyzes network flow information from participating federal agencies and is intended to provide a high-level perspective from which to observe potential malicious activity in computer network traffic. GAO stated that as of September 2009, fewer than half of the 23 agencies reviewed had executed the required agreements with DHS, and Einstein 2 had been deployed to 6 agencies. Agencies that participated in Einstein 1 cited improved identification of incidents and mitigation of attacks, but determining whether the initiative is meeting its objectives will likely remain difficult because DHS lacks performance measures that address how agencies respond to alerts.
- Trusted Internet Connections (TIC) Initiative: This plan is designed to optimize individual agency network services through a common solution for the federal government. The initiative is to facilitate the reduction of external connections, including Internet points of presence. The GAO stated that none of the 23 agencies it reviewed met all of the requirements of the TIC initiative, and most agencies experienced delays in their plans for reducing and consolidating connections. However, most agencies reported that they have made progress toward reducing and consolidating their external connections and implementing security capabilities.
With agencies still in the process of implementing TIC and DHS in the early stages of deploying Einstein 2, the success of such large-scale initiatives will be in large part determined by the extent to which DHS, OMB, and other federal agencies work together to address the challenges of these efforts, the GAO stated.
The report comes on the heals of another GAO study that found about 69% of the IRS' previously noted security flaws remain unfixed and continue to jeopardize the confidentiality, integrity, and availability of the tax agency's systems. The problems put the IRS at increased risk of unauthorized disclosure, modification, or destruction of financial and taxpayer information, the GAO concluded.
The GAO recently issued another report stating that disruptive cyber activities are expected to become the norm in future political and military conflicts.
Follow Michael Cooney on Twitter: nwwlayer8
Layer 8 Extra
Check out these other hot stories: