GAO says agencies unprepared for computer attacks

Government computer systems are not prepared for the mounting sophistication of Internet-based hacker attacks, according to a new report from the Government Accountability Office.

As the risks created by emerging cybersecurity threats such as spam, spyware and "phishing" increase, GAO auditors say that most agencies are unaware of the threat and are failing to comply with the requirements of the 2002 Federal Information Security Management Act. Phishing is an attempt to steal someone's identity by posing as a legitimate company and asking for personal information by e-mail. Spam is the unwanted delivery of e-mail, often clogging networks, and spyware is software that monitors computer users' activity without their knowledge.

Agencies are not consistently reporting incidents of cybersecurity threats, and the Office of Management and Budget has not issued governmentwide guidance clarifying what incidents should be reported to the Homeland Security Department, as mandated by FISMA, the report stated.

The 79-page report (GAO-05-231) found that new cybersecurity threats such as spam and phishing could blend into a mix of other threats, posing a complex and damaging risk to agencies' firewalls and filters.

If agencies do not work together to address these threats, the report said, the government ability to deal with them is limited.

Agencies reported varying perceptions of the risks presented by spam, phishing and spyware, and many are not dealing with them as part of an agencywide information security program. A lack of awareness of the emerging threats was a primary problem identified by the auditors in their survey of 24 agencies.

Groups within the federal government and the private sector are addressing the problem through educating users, detecting threats and adding system protections, but these efforts often are not shared with agencies.

GAO recommended that OMB make sure agencies address the problems with periodic risk assessments, procedures for dealing with identified threats, and training. OMB also was encouraged to establish governmentwide guidance for reporting the emerging threats.

In response to the report, OMB said that while it is agencies' responsibility to comply with FISMA, it would add information on cyberthreats to its annual review package. OMB also said it will take into account whether programs address new threats before approving them.

According to OMB, a document detailing how to report incidents is being prepared by the Homeland Security Department and should be issued this summer.

An OMB task force is preparing to make recommendations in September on how to consolidate cybersecurity efforts in an attempt to share common processes and reduce costs.

Rep. Adam H. Putnam, R-Fla., chairman of the House Government Reform Subcommittee on Technology, said in a statement that he is looking at initiatives to respond to the threats identified by GAO.