The federal government relies on computer networks and systems to provide essential services affecting the health, economy, and defense of the nation. Incidents of hacking or cyber attacks place sensitive information at risk, with potentially serious effects on federal and military operations; critical infrastructure; and government, private sector, and individual privacy. The Department of Homeland Security has designated October as National Cybersecurity Awareness Month. To mark the month, we are highlighting some of our findings on federal cybersecurity efforts.
Cyber Incidents are Increasing
We found that federal agencies reported 782 percent more cybersecurity incidents to the U.S. Computer Emergency Readiness Team in 2012 than in 2006. The dramatic rise in the number of incidents can be seen in the graphic below.
Excerpted from GAO-13-187
Cybersecurity Gaps Put Information at Risk
Increasing numbers of cyber incidents and challenges in effectively implementing cybersecurity measures have led us to put the protection of federal information systems on our High Risk list. In the latest update, we noted that most of the 24 major federal agencies had information security weaknesses in key control categories, including:
- limiting, preventing, and detecting inappropriate access to computer resources;
- planning for continuity of operations in the event of a disaster or disruption; and
- implementing information security management programs.
Excerpted from GAO-13-283
Other gaps in cybersecurity that we have identified include:
- Information technology supply chain issues at the Departments of Energy, Homeland Security, Justice, and Defense;
- Security control weaknesses in the Environmental Protection Agency’s information systems; and
- Management and other security control issues with the Federal Communications Commission’s network security project.
Agency Responses to Cyber Incidents
In cases involving personally identifiable information, and generally, we found that agencies are not responding to cyber incidents consistently or effectively. Some response strategies we recommended include:
- Documenting risk levels and the number of affected individuals for data breaches;
- Offering credit monitoring to affected individuals;
- Documenting lessons learned from breach responses;
- Testing incident response capabilities; and
- Developing or clarifying policies, plans, and procedures for incident response.
We found that without complete policies, plans, and procedures, along with appropriate oversight of response activities, agencies can’t be certain that their responses will be effective.