Summary
Federal agencies are facing a set of emerging cybersecurity threats that are the result of increasingly sophisticated methods of attack and the blending of once distinct types of attack into more complex and damaging forms. Examples of these threats include spam (unsolicited commercial e-mail), phishing (fraudulent messages to obtain personal or sensitive data), and spyware (software that monitors user activity without user knowledge or consent). To address these issues, GAO was asked to determine (1) the potential risks to federal systems from these emerging cybersecurity threats, (2) the federal agencies' perceptions of risk and their actions to mitigate them, (3) federal and private-sector actions to address the threats on a national level, and (4) governmentwide challenges to protecting federal systems from these threats.
Spam, phishing, and spyware pose security risks to federal information systems. Spam consumes significant resources and is used as a delivery mechanism for other types of cyberattacks; phishing can lead to identity theft, loss of sensitive information, and reduced trust and use of electronic government services; and spyware can capture and release sensitive data, make unauthorized changes, and decrease system performance. The blending of these threats creates additional risks that cannot be easily mitigated with currently available tools. Agencies' perceptions of the risks of spam, phishing, and spyware vary. In addition, most agencies were not applying the information security program requirements of the Federal Information Security Management Act of 2002 (FISMA) to these emerging threats, including performing risk assessments, implementing effective mitigating controls, providing security awareness training, and ensuring that their incident-response plans and procedures addressed these threats. Several entities within the federal government and the private sector have begun initiatives to address these emerging threats. These efforts range from educating consumers to targeting cybercrime. Similar efforts are not, however, being made to assist and educate federal agencies. Although federal agencies are required to report incidents to a central federal entity, they are not consistently reporting incidents of emerging cybersecurity threats. Pursuant to FISMA, the Office Management and Budget (OMB) and the Department of Homeland Security (DHS) share responsibility for the federal government's capability to detect, analyze, and respond to cybersecurity incidents. However, governmentwide guidance has not been issued to clarify to agencies which incidents they should be reporting, as well as how and to whom they should report. Without effective coordination, the federal government is limited in its ability to identify and respond to emerging cybersecurity threats, including sophisticated and coordinated attacks that target multiple federal entities.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
Gregory C. Wilshusen
Government Accountability Office: Information Technology
(202) 512-6244
Recommendations for Executive Action
Recommendation: In order to more effectively prepare for and address emerging cybersecurity threats, the Director, Office of Management and Budget, should ensure that agencies' information security programs required by FISMA address the risk of emerging cybersecurity threats such as spam, phishing, and spyware, including performing periodic risk assessments; implementing risk-based policies and procedures to mitigate identified risks; providing security-awareness training; and establishing procedures for detecting, reporting, and responding to incidents of emerging cybersecurity threats.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Implemented
Comments: In July 2006, we verified that OMB has fulfilled our recommendation by adding questions regarding emerging technology to the FY 2005 Instructions for Preparing the Federal Information Security Management Act Report. Furthermore, these questions ask agencies if they have documented in its security policies special procedures for using emerging technologies and countering emerging threats. OMB will consider agency responses when determining whether it approves or disapproves agency security programs as part of the FY06 review cycle.
Recommendation: In order to more effectively prepare for and address emerging cybersecurity threats, the Director, Office of Management and Budget, should coordinate with the Secretary of Homeland Security and the Attorney General to establish governmentwide guidance for agencies on how to (1) address emerging cybersecurity threats and (2) report incidents to a single government entity, including clarifying the respective roles, responsibilities, processes, and procedures for federal entities--including homeland security and law enforcement.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Implemented
Comments: In July 2006, we verified that OMB has fulfilled our recommendation by distributing a ?Concept of Operations for Federal Cyber Security Incident Handling? to Chief Information Officers in May of 2005. CONOPS contains a common set of incident terms and clarifies the roles, responsibilities, processes, and procedures for federal entities involved in incident reporting and response, including homeland security and law enforcement. Furthermore, OMB claims that DHS?s National Cyber Security Division continues to publish alerts on, and guidance on how to combat, a variety of emerging cybersecurity threats.
