Trusted ID, monitoring efforts can’t keep IT security off high-risk list
- By William Jackson
- Feb 15, 2013
After 16 years of plans, strategies and regulation, federal IT security remains one of 30 program areas designated by government auditors as high risk.
The Government Accountability Office released its latest biennial assessment of programs most vulnerable to fraud, waste, abuse, and mismanagement and ineffectiveness. The security of government information systems has been on the list since 1997, and in 2003 protection of the nation’s privately owned critical infrastructure was added.
The two are lumped together as one high-risk area, which is receiving increasing attention from the administration, Congress and non-government security experts. Despite the attention and initiatives being taken to improve security, little progress was noted by GAO.
“Until the administration and executive branch agencies implement the hundreds of recommendations made by GAO and agency inspectors general to address cyber challenges, resolve identified deficiencies, and fully implement effective security programs, a broad array of federal assets and operations will remain at risk of fraud, misuse and disruption, and the nation’s most critical federal and private-sector infrastructure systems will remain at increased risk of attack from adversaries,” the report concluded.
GAO began the list in 1990 with 14 areas designated and updates it every two years. Since the original list, 41 problem areas have been added and 23 removed. Of the 30 listed today, IT security is number 10 in length of time it has remained. Six problem areas date back to 1990.
This year’s list removes two areas from the previous list: Management of interagency contracting and the IRS Business Systems Modernization program. It also added two areas: The economic risks of climate change and mitigating gaps in weather satellite data.
In its assessment of cybersecurity, GAO cited the growing number of IT security incidents, which has gone from 5,503 incidents reported to US-CERT in 2006 to 48,652 in 2012.
The Obama administration has paid attention to the issue, and in 2011 issued the National Strategy for Trusted Identities in Cyberspace; the International Strategy for Cyberspace, to create international norms; and a Strategic Plan for the Federal Cybersecurity Research and Development Program. In 2012, three priority areas identified by the administration for improvement:
Trusted Internet Connections: Consolidate external telecommunication access points and establish a set of baseline security capabilities for situational awareness and enhanced monitoring.
Continuous monitoring of federal information systems: Transform static security control assessment and authorization process into a dynamic risk-mitigation program that provides essential, near real-time security status and remediation.
Strong authentication: Increase the use of federal smart-card credentials such as Personal Identity Verification and Common Access Cards that provide multifactor authentication and digital signature and encryption capabilities.
While GAO praised the efforts, it said they lack the milestones and performance measures, budget resources, clear rules and accountability, and linkage with other key strategy documents needed to make them effective.
The auditors identified seven areas to be addressed:
- Designing and implementing risk-based cybersecurity programs at federal agencies.
- Establishing and identifying standards for critical infrastructures.
- Detecting, responding to and mitigating cyber incidents.
- Promoting education, awareness and workforce planning.
- Promoting research and development.
- Managing risks to the global information technology supply chain.
- Addressing international cybersecurity challenges.
Congress should also consider legislation better defining roles and responsibilities, GAO concluded, and the Homeland Security Department should expand its analytical and abilities and oversight activities.
Finally, the report said, “the administration needs to prepare an overarching cybersecurity strategy that includes all desirable characteristics of a national strategy, including milestones and performance measures; cost, sources, and justification for needed resources; specific roles and responsibilities of federal organizations; guidance, where appropriate, regarding how this strategy relates to priorities, goals, and objectives stated in other national strategy documents; and demonstrate progress in implementing the strategies and achieving measureable and appropriate outcomes.”
William Jackson is freelance writer and the author of the CyberEye blog.