In the shadow of the recent Office of Personnel Management break-in it likely comes as little surprise to many that the federal government needs to pick up its security game in a big way.
This challenge is perhaps reflected best in report this week by watchdogs at the Government Accountability Office that shows despite years of recommendations and billions of dollars spent, most federal agencies remain frighteningly weak when it comes to cybersecurity.
+More on Network World: CIA details agency’s new digital and cyber espionage focus+
“Federal agencies’ information and systems remain at a high risk of unauthorized access, use, disclosure, modification, and disruption. These risks are illustrated by the wide array of cyber threats, an increasing number of cyber incidents, and breaches of [personally identifiable information (PII)] occurring at federal agencies. Agencies also continue to experience weaknesses with effectively implementing security controls, such as those for access, configuration management, and segregation of duties. OMB and federal agencies have initiated actions intended to enhance information security at federal agencies. Nevertheless, persistent weaknesses at agencies and breaches of PII demonstrate the need for improved security. Until agencies correct longstanding control deficiencies and address the hundreds of recommendations that we and agency inspectors general have made, federal systems will remain at increased and unnecessary risk of attack or compromise,” the GAO wrote.
All of this weakness shows in the face of unrelenting attacks. The GAO noted that the number of information security incidents affecting systems supporting the federal government grew 1,121% since 2006 -- 5,503 incidents in 2006 to 67,168 in fiscal year 2014. Similarly, the number of information security incidents involving PII reported by federal agencies has more than doubled in recent years, from 10,481 in 2009 to 27,624 in 2014.
At the same time as the risks have exponentially grown, spending on security systems has grown with it to little apparent avail. From fiscal year 2010 to fiscal year 2014, 24 agencies reported spending anywhere between 10.3 and 14.6 billion dollars annually on cybersecurity, including 12.7 billion in fiscal year 2014, which was a 23% increase from fiscal year 2013, the GAO stated. For fiscal years 2013 and 2014, agencies reported information security spending in areas that include: preventing malicious cyber activity; detecting, analyzing, and mitigating intrusions; and shaping the cybersecurity environment, the GAO stated.
+More on Network World: DARPA: Current DDoS protection isn’t cutting it+
Most agencies continue to have weaknesses in a number of areas the GAO stated, including:
(1) limiting, preventing, and detecting inappropriate access to computer resources;
(2) managing the configuration of software and hardware;
(3) segregating duties to ensure that a single individual does not have control over all key aspects of a computer-related operation;
(4) planning for continuity of operations in the event of a disaster or disruption; and
(5) implementing agency-wide security management programs that are critical to identifying control deficiencies, resolving problems, and managing risks on an ongoing basis.
“These deficiencies place critical information and information systems used to support the operations, assets, and personnel of federal agencies at risk, and can impair agencies' efforts to fully implement effective information security programs. In prior reports, GAO and inspectors general have made hundreds of recommendations to agencies to address deficiencies in their information security controls and weaknesses in their programs, but many of these recommendations remain unimplemented.”
Check out these other hot stories: