Some governmentwide programs offer the promise of improved security in federal information systems, but cybersecurity remains a high risk area and threats to sensitive personal information continue to grow.
After almost 20 years on the Government Accountability Office’s (GAO) list of high risk programs, federal information security remains inadequate and threats to sensitive information being held by the government continue to grow, the GAO told Congress.
This probably is not news to anyone. Gregory C. Wilshusen, GAO’s director of information security issues, appeared before the House Homeland Security subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies to discuss recent high-profile breaches that have exposed personally identifiable information (PII) of millions of taxpayers and current and former federal employees.
Wilshusen has become a familiar face on Capitol Hill, and his message—unfortunately—also has become familiar: “Until federal agencies take actions to address these challenges—including implementing the hundreds of recommendations GAO and agency inspectors general have made—federal systems and information, including sensitive personal information, will be at an increased risk of compromise from cyber-based attacks and other threats.”
The relentless drumbeat of breaches of high value federal systems bears out this assessment.
GAO first designated federal info security as high risk in 1997, back when it was the General Accounting Office. Critical infrastructure was put on the list 2003 and the privacy of personal information was added in February. The addition of PII reflects a growing cyber threat to privacy. The number of overall security incidents reported to US-CERT has risen steadily from 5,503 in fiscal 2006 to 67,168 in fiscal 2014. This is not necessarily all bad news. A good part of this increase probably represents agencies’ improved ability to detect threats. But the number of incidents involving PII has more than doubled in recent years, from 10,481 in fiscal 2009 to 27,624 in fiscal 2014.
PII is becoming the big concern in cybersecurity. It is a high value target because it can be used by criminals and by foreign nations alike. Identity theft is a big money maker, and government databases are a trove of personal data that can be turned into cash. It also can be leveraged for espionage, as a recruiting tool and to craft spearphishing attacks to gain entry into more systems.
Frameworks, plans, mandates and guidelines to improve cybersecurity are routinely issued, but implementation is spotty and improvements have been limited. Improved access control through multi-factor authentication is routinely cited as a way to improve security, and the use of smart Personal Identity Verification cards for online authentication was mandated in 2004. But GAO found that by fiscal 2014 only 41 percent of civilian agency accounts required PIV cards for access.
A major governmentwide initiative is EINSTEIN, a phased program that began with traffic monitoring, moved on to intrusion detection, and now is incorporating intrusion prevention. But a GAO evaluation found that it uses only signatures to detect threats, ignoring anomaly detection and stateful protocol analysis, and that the IPS function has only limited adoption among agencies.
One of the newest government programs is Continuous Diagnostics and Mitigation, which provides tools for continuous monitoring of systems and automation of incident response. GAO found that an early State Department implementation of continuous monitoring improved visibility and helped administrators find and mitigate problems. There were weaknesses in the system, but it appears to be at least a promising start.
The federal government needs to make cybersecurity a top priority, not only at the highest levels of the administration but also down in the weeds among the workers who have to implement technology. Ultimately, this requires Congress to use its power of the purse strings to provide resources to make security a reality.