For the naive who still think cyber data is safe with Uncle Sam, here is some information that demonstrates the harsh reality.
The number of cyber incidents reported by federal agencies jumped more than 1,300 percent, from 5,503 to 77,183, over the 10 years through fiscal 2015. Federal information security has been on the high-risk list of the Government Accountability Office (GAO) since 1997, and the situation has only grown worse.
These statistics, at once sobering and alarming, were included in a GAO report presented to the President’s Commission on Enhancing National Cybersecurity this week. The report was in the form of a statement from Gregory C. Wilshusen, the GAO’s director of information security issues.
“Over the last several years, we have made about 2,500 recommendations to agencies aimed at improving their implementation of information security controls,” Wilshusen said. “These recommendations identify actions for agencies to take in protecting their information and systems. For example, we have made recommendations for agencies to correct weaknesses in controls intended to prevent, limit, and detect unauthorized access to computer resources. … However, many agencies continue to have weaknesses in implementing these controls, in part because many of these recommendations remain unimplemented. As of September 16, 2016, about 1,000 of our information security–related recommendations have not been implemented.”
Ineffective cyberprotection “can result in significant risk to a broad array of government operations and assets,” he added.
Press secretary Jamal Brown of the Office of Management and Budget (OMB) responded by saying that “cybersecurity is one of the most important challenges we face as a nation. Over the last nearly eight years, federal agencies have made significant progress in strengthening their overall cybersecurity posture. Yet, as cyber threats continue to evolve and grow, we must remain vigilant in our efforts to combat them.”
Part of those efforts was implementation of the Cybersecurity National Action Plan, which established the commission that heard Wilshusen’s statement.
“GAO’s recommendations to the commission are important and welcomed,” Brown said.
These examples from Wilshusen show how broad that array can be: “Sensitive information, such as intellectual property and national security data, and personally identifiable information, such as taxpayer data, Social Security records, and medical records, could be inappropriately added to, deleted, read, copied, disclosed, or modified for purposes such as espionage, identity theft, or other types of crime.”
This is not just a theoretical warning.
In June 2014, the Office of Personnel Management announced that personal information, including Social Security numbers, belonging to 22 million federal employees and others had been hacked. That is the largest announced cybertheft but far from the only one. The private sector also has been repeatedly hit by cyberthieves.
“These threats come from a variety of sources and vary in terms of the types and capabilities of the actors, their willingness to act, and their motives,” Wilshusen said. “For example, advanced persistent threats — where adversaries possess sophisticated levels of expertise and significant resources to pursue their objectives — pose increasing risks.”
In a March report to Congress, the OMB linked the rising number of cybersecurity incidents to “an increase in total information security events and agencies’ enhanced capabilities to identify, detect, manage, respond to, and recover from these incidents.”
Although the report indicates that about 40 percent of the GAO’s recommendations have not been implemented at any one time, in an interview, Wilshusen said the government’s long-term record is significantly better. Within four years, 88 percent to 90 percent of the recommendations are followed, he said by phone. “Over time,” he added, “the agencies do a pretty good job of implementing our recommendations.”
The GAO offered several recommendations, including strengthening oversight of government contractors that provide information-technology services. That was a lesson learned the hard way through the OPM breach. In 2014, the GAO found that five of six selected agencies “were inconsistent” in their oversight of contractor cyber controls.
The GAO also recommended expanding the federal cyber workforce and training. That is not a new need. Said Wilshusen: “This has been a long-standing dilemma for the federal government.”