GAO: Agencies must pay more attention to cybersecurity

Federal cybersecurity programs run the risk of becoming static and unresponsive in the face of emerging threats, according to the findings of a study by the Government Accountability Office.

The study, titled "Emerging Cybersecurity Issues Threaten Federal Information Systems," focused on three challenges that have evolved rapidly in the last three years: spam, phishing and spyware. And the Federal Information Security Management Act could become a Maginot line against this blitzkrieg of new attacks.

"Many agencies have not fully addressed the risks of emerging cybersecurity threats as part of their required agencywide information security programs," GAO found.

Agencies are required to report all cybersecurity incidents, but there is no governmentwide guidance on which incidents should be reported. The most recent guidance was issued in 2000, before the formation of the U.S. Computer Emergency Readiness Team (US-CERT).

"Lacking the necessary guidance, agencies do not have a clear understanding of which incidents they should be reporting, or how and to whom they should report," GAO concluded.

As a result, government IT systems often remain exposed to unrecognized threats. Some help may be on the way from the Office of Management and Budget, charged with FISMA oversight, and the Homeland Security Department.

OMB said it would begin incorporating new threats into its annual agency FISMA reviews. Together with US-CERT, it is developing a concept of operations and taxonomy for incident reporting, expected to be released this summer.

Despite, or because of, the fact they are so common, spam, phishing and spyware often are not perceived as security threats, GAO found. Only one of 24 major executive branch agencies surveyed recognized the risk presented by spam for delivering malicious code or other attacks. Fourteen agencies reported that phishing had little or no impact, despite the fact that the FBI, IRS and Federal Deposit Insurance Corp. have been targeted in phishing scams. Spyware was recognized as a greater problem, with 11 agencies reporting some impact on productivity caused by the intrusive programs.

Although a number of agencies have consumer awareness programs for these threats, there are no programs to educate users within the agencies.

GAO recommended that:

• Agencies include emerging threats in their required risk assessments and planning required under FISMA
, and

• OMB, DHS and the attorney general develop guidelines for comprehensive incident reporting.