Federal agencies need to improve cybersecurity capabilities, GAO says
It is becoming more difficult for organizations to achieve a high degree of cybersecurity, and even more challenging to remain one step ahead of the growing, evolving cyberthreats that firms now face. Cyberattackers in the form of cybercriminals, state-sponsored cyberterrorists and hacktivists are growing in number, and the U.S. government is, for many of them, the most tempting target available. Consequently, federal agencies must be even more effective in their cybersecurity efforts than most private sector firms.
Unfortunately, many federal agencies are not currently meeting this standard, as the Government Accountability Office made clear. In order to keep government and constituent data safe in the coming years, these agencies will need to significantly improve their performance in this capacity.
"The risk of a successful cyberattack against government agencies is both significant and growing."
Major weaknesses identified
Gregory Wilshusen, director of information security issues for the GAO, recently testified in front of the House Committee on Oversight and Government Reform. In his statement, Wilshusen made it clear that the risk of a successful cyberattack against numerous key government agencies is both significant and growing.
"Until agencies take actions to address these challenges – including the hundreds of recommendations made by GAO and inspectors general – their systems and information will be at increased risk of compromise from cyber-based attacks and other threats," said Wilshusen.
The GAO's report on the subject identified several key examples of cybersecurity shortcomings and vulnerabilities. Notably, the Department of Veterans Affairs' Office of Inspector General found that two VA contractors based in foreign countries used their personal devices to access the VA network without authorization. Such activity presents a major potential risk to the entirety of the agency's digital assets.
The VA was not alone in this type of cybersecurity oversight. Wilshusen noted that an August 2014 GAO report found that five of six reviewed agencies proved to be inconsistent in their implementation of security controls for contractors. Some of these agencies lacked documented IT security policies, while others simply overlooked certain critical components of cybersecurity best practices in this realm.
"19 of the 24 federal agencies' financial reporting information security controls were found lacking."
Cybersecurity issues were not limited to the VA. The GAO report noted that in fiscal year 2014, 19 of the 24 federal agencies were found lacking in regard to their information security controls for financial reporting.
One of the key points emphasized by Wilshusen in his testimony was the fact that cyberthreats are not limited to external attackers. In addition to addressing these dangers, he pointed out that federal agencies must take steps to reduce the risk posed by insider threats, both intentional and unintentional. A poorly trained employee may be just as dangerous as a savvy hacker.
Additionally, Wilshusen testified that federal agencies widely appear unprepared to respond effectively in the wake of a data breach. He noted that the April 2014 GAO report found that all of the 24 agencies surveyed failed to demonstrate consistent effectiveness when responding to cyber incidents.
"Specifically, we estimated that agencies did not completely document actions taken in response to detected incidents reported in fiscal year 2012 in about 65 percent of cases," said Wilshusen. "In addition, six agencies we reviewed had not fully developed comprehensive policies, plans and procedures to guide their incident-response activities."
There have been numerous examples of high-level struggles in this area. Most notably, government officials recently acknowledged that Russian hackers gained access to the State Department and White House's computer systems. As The New York Times reported, these hackers were able to access White House email archives, including some of President Obama's own unclassified messages.
"Despite being unclassified, the president's correspondence is considered 'highly sensitive.'"
Despite being unclassified, the president's correspondence is considered "highly sensitive," the news source reported. Messages included information regarding President Obama's schedule, emails to and from ambassadors, policy debates and more.
According to The New York Times, government cybersecurity personnel were able to expel the hackers from the White House's email system within a few weeks of the initial discovery in October. However, the government was far less successful when it came to purging the State Department's email system. In November, members of the State Department were forced to rely on personal email accounts when conducting nuclear negotiations with Iran, as the official email system was still compromised.
As the State Department's ad hoc work-around highlighted, cybersecurity failures' impact can go beyond compromising sensitive data. In this case, government representatives at the highest levels were forced to adopt a tactic which did not speak highly of the United States' cybersecurity capabilities.
This, along with the issues emphasized by Wilshusen and the GAO, suggest that federal agencies need to improve their cybersecurity capabilities across the board. There is no simple fix – a comprehensive approach is necessary to shore up the myriad small and large issues that have proven problematic for government organizations. Short-term and small-scale solutions will not be sufficient.