By Calvin Biesecker
The number of federal information security incidents reported to a Department of Homeland Security (DHS) unit charged with defending federal computer networks against cyber attacks more than tripled from more than 5,500 incidents in FY ’06 to more than 16,800 in FY ’09, according to a new report by the Government Accountability Office (GAO).
“Reviews at federal agencies continue to highlight deficiencies in their implementation of security policies and procedures,” says the report, Information Security: Agencies Continue to Report Progress, but Need to Mitigate Persistent Weakness (GAO-09-546). “In their fiscal year 2008 performance and accountability reports, 20 of 24 agencies indicated that inadequate information security controls were either a material weakness or a significant deficiency.” The report was released on Friday and was prepared for the Senate Homeland Security and Governmental Affairs and the House Oversight and Government Reform Committees.
Cyber incidents are reported by federal agencies to the United States Computer Emergency Readiness Team, which is the operational arm of the National Cyber Security Division within DHS. US-CERT responds to and defends against attacks on the federal civilian government networks. The unit also works with the private sector as well as state and local governments and international partners.
The largest numbers of incidents, accounting for 34 percent of the total during the three-year period, are labeled investigation, which means they are under investigation as unconfirmed incidents of potentially malicious activity or anomalous activity that the reporting agency feels needs further review, GAO says.
Improper usage of agency computer use policies makes up 22 percent of the incidents, followed by unauthorized access, 18 percent, which refers to gaining logical or physical access to an agency’s network or data without permission, the report says.
Malicious code accounts for 14 percent of the incidents. Malicious software such as computer viruses and works can infect an operating system or application. Not reported in these incidents are malicious codes that have been successfully quarantined by antivirus software.
Scans, probes and attempted access accounts for 12 percent of all incidents. This refers to accessing or identifying a federal agency computer, open ports or service for later exploitation although it does not directly result in a compromise or denial of service, GAO says.
Denial of service incidents account for less than 1 percent of the total.
The types of material weaknesses at federal agencies with regard to information system controls are across the board, GAO says. These include access controls, configuration management controls, segregation of duties, continuity of operations planning, and an agency-wide information security program.
Despite the increased numbers of incidents and continued weaknesses in cyber security controls, GAO says that federal agencies have reported increased compliance with control activities such as security certifications and accreditations of networks and systems.
Still, GAO says that the number of systems that are tested and evaluated annually has decreased, as has the number of employees and contractors that receive security awareness training.
The report concludes that “until agencies fully and effectively implement information security programs and address the hundreds of recommendations that we and agency inspectors general have made, federal systems will remain at an increased and unnecessary risk of attack or compromise.”