In the face of relentless attacks – via malware, DDOS and malicious email – the defenses that protect the nation’s most “high impact” systems are spotty at best and could leave important programs open to nefarious activities, according to a new report from the Government Accountability Office.
+More on Network World: Not dead yet: 7 of the oldest federal IT systems still wheezing away+
At issue here the GAO wrote is the weakness of “high impact” system protection because the government describes those “that hold sensitive information, the loss of which could cause individuals, the government, or the nation catastrophic harm,” and as such should be getting increased security to protect them.
To be certain the threat to high impact systems is growing. The GAO said that in response to its survey of 24 key agencies 14 responded that their agency experienced cybersecurity incidents that affected their high-impact systems during the period October 2013 through June 2015. Of the 14 agencies that responded regarding incidents affecting their high-impact systems, reported 2,267 incidents affecting their high-impact systems.
The GAO noted that the number of information security incidents affecting systems supporting the federal government grew over 1,121% since 2006 -- 5,503 incidents in 2006 to 77,183 in fiscal year 2016. Similarly, the number of information security incidents involving personally identifiable information reported by federal agencies has more than doubled in recent years, from 10,481 in 2009 to 27,624 in 2014.
Departments having high-impact systems that responded to the GAO report included Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, the Interior, Justice, State, Transportation, the Treasury, and Veterans Affairs.
In GAO's survey of 24 federal agencies, the 18 agencies having high-impact systems identified cyber attacks from “nations” as the most serious and most frequently occurring threat to the security of their systems. These agencies also noted that attacks delivered through e-mail were the most serious and frequent. During fiscal year 2014, 11 of the 18 agencies reported 2,267 incidents affecting their high-impact systems, with almost 500 of the incidents involving the installation of malicious code.
As for weaknesses in these systems the GAO said problems existed in access controls, including those protecting system boundaries, identifying and authenticating users, authorizing access needed to perform job duties, encrypting sensitive data, and auditing and monitoring system activities. Shortcomings also existed in applying patches to protect against known vulnerabilities, and planning for system contingencies.
An underlying reason for these weaknesses is that the agencies had not fully implemented elements of their information security programs. For example, security plans did not always address controls specific to high-impact systems, those with significant security responsibilities did not always complete specialized training, systems ‘assessments were not comprehensive, and continuous monitoring strategies were incomplete.”
Challenges also exist for agencies in effectively identifying threats, the GAO wrote. For example, in our survey, we asked agencies to identify the extent to which their inability to recruit staff with appropriate skills, the limited effectiveness of intrusion detection devices, and other challenges hinder their ability to identify threats. In their responses, of the 18 agencies with high-impact systems noted that human issues (recruiting and retaining personnel with the knowledge, skills, and abilities necessary to perform cybersecurity functions) limited their ability to identify threats to a great extent; found rapidly changing threats impaired their ability to identify threats to a great extent; noted that continuous changes in technology hindered their ability to identify threats to a moderate extent; indicated a lack of government-wide information sharing mechanisms limited their ability to identify threats to a moderate extent; and found the limited effectiveness of intrusion detection tools moderately reduced their ability to identify threats, the GAO wrote.
+More on Network World: 26 of the craziest and scariest things the TSA has found on travelers+
It’s not that the government doesn’t have the tools. The Department of Homeland Security's (DHS) National Cybersecurity Protection System (NCPS)—also known as Einstein is intended to provide DHS with capabilities to detect malicious traffic traversing federal agencies’ computer networks, prevent intrusions, and support data analytics and information sharing but its implementation has been spotty.
As a GAO report in January lamented, not all of the agencies required to implement the systems have implemented NCPS (despite a White House directive last July to speed up adoption): “The 23 agencies required to implement the intrusion detection capabilities had routed some traffic to NCPS intrusion detection sensors. However, only 5 of the 23 agencies were receiving intrusion prevention services, but DHS was working to overcome policy and implementation challenges. Further, agencies have not taken all the technical steps needed to implement the system, such as ensuring that all network traffic is being routed through NCPS sensors. This occurred in part because DHS has not provided network routing guidance to agencies. As a result, DHS has limited assurance regarding the effectiveness of the system,” the GAO stated.
The Office of Management and Budget (OMB) is developing plans for shared services and practices for federal security operations centers but has not issued them yet. In addition, agencies reported that they are in the process of implementing various federal initiatives, such as tools to diagnose and mitigate intrusions on a continuous basis and stronger controls over access to agency networks.
Until the selected agencies address weaknesses in access and other controls, including fully implementing elements of their information security programs, the sensitive data maintained on selected systems will be at increased risk of unauthorized access, modification, and disclosure, and the systems at risk of disruption, the GAO concluded.
Check out these other hot stories: