GAO: Fifty Percent of Feds Aren’t Informed of Cyber Risks

By Aliya Sternstein

September 27, 2013

Federal agencies for 15 years have been unable to move cybersecurity off a list of the government's most imperiled programs, with a new audit revealing a declining number of agencies -- half -- do not annually train employees on security. Note to feds: National Cyber Security Awareness Month starts on Tuesday. 

Perennial weaknesses in government network security endanger national security because of the pervasiveness of the Internet and evermore sophisticated cyber threats, according to a Government Accountability Office report released on Thursday afternoon.

In fiscal 2012, 12 of the 24 major federal agencies provided annual security awareness training to at least 90 percent of their network users, compared with 22 of 24 agencies the prior year. 

These and other “weaknesses show that information security continues to be a major challenge for federal agencies," the audit states. "Until steps are taken to address these persistent challenges, overall progress in improving the nation’s cybersecurity posture is likely to remain limited."

The report does not break down findings by agency.

"We have identified the protection of federal information systems as a governmentwide high-risk area since 1997," the audit continues. "Since that time, we have issued numerous reports making recommendations to address weaknesses in federal information security programs."

GAO officials described a mixed bag of results. More agencies have created programs to manage information security risk. Specifically, 18 of 24 agencies in fiscal 2012 implemented such programs compared to 8 of 24 the previous year. Most agencies document security policies and procedures, but they often don't follow their own rules.

For example, requisite controls intended to limit access to data, hardware and computer facilities were feeble at all but one agency. "Some users shared accounts at one agency, and administrators shared accounts for multiple systems at another agency . . . Other agencies had weak password controls, including systems with passwords that had not been changed from the easily guessable default passwords supplied by the vendor,” the report states.

During the past six years, the number of cyber incidents reported by federal agencies has increased from 5,503 to 48,562, a 782 percent increase. It is unclear whether the increase is due to more attempted hacks or better detection. 

Most incidents reported during fiscal 2012 involved leaks of printed personal information, data policy violations, or the presence of malicious software, according to auditors.

The government's overall approach to minimizing cyber risks needs an upgrade, the report suggests. Auditors complained the current strategy focuses on check-the-box exercises to confirm controls are in place, rather than checking that the controls are effective. 

Responding to a draft report, federal officials pointed to a new potential $6 billion contract aimed precisely at addressing this shortcoming. The Homeland Security Department is paying to offer agencies packages of sensors, risk-status displays and professional consulting that gauge, in near real-time, whether controls are working.

With the advent of this technology, "the focus will shift to security outcomes and prioritization of risks, whereas under the current compliance framework, specific data as to the effectiveness of mitigations and the true-cost of non-compliance remain limited," Jim Crumpacker, DHS director of the GAO liaison office, wrote in a Sept. 13 letter. 

Sen. Tom Coburn, R-Okla., ranking Republican on the Homeland Security and Governmental Affairs Committee, said in a statement on Thursday, “Today’s report confirms a disturbing fact: the federal government still has miles to go to protect its own systems from cyber-attacks. It is Congress’ first duty to protect these public systems, and I plan on working further with Chairman [Sen. Tom Carper, D-Del.] on crafting legislation to safeguard these networks.”

The current law governing agency cybersecurity, the 2002 Federal Information Security and Management Act, is generally considered outdated. 

Carper added, "I continue to work closely with my colleagues in the Senate and House, especially Dr. Coburn, on bipartisan legislation that will address the very serious cyber threats facing our country, including updating our current FISMA framework to provide continuous, real-time security.”

It is widely believed that cybersecurity measures are unlikely to pass any time soon, given citizen concerns about government Internet surveillance, industry opposition to new regulations, and higher legislative priorities, such as funding the government. 

Join us at Nextgov Prime Oct. 15-16 in Washington for indepth discussions about cloud computing, data security and much more. Registration is free for federal employees.

(Image via Sergey Nivens/

By Aliya Sternstein

September 27, 2013