Federal agencies are doing little to stem the tide of cyberattacks, which have increased by more than 650 percent over the past five years, a Government Accountability Office report released on Monday concludes.
“Persistent government weaknesses” in information control are undermining IT systems, according to GAO's 49-page review of cybersecurity practices and policies at 24 federal agencies. Congress asked for the report to evaluate compliance with the 2002 Federal Information Security Act.
“An underlying reason for these weaknesses is that agencies have not fully implemented their information security programs,” GAO writes. “As a result, they have limited assurance that controls are in place and operating as intended to protect their information resources, thereby leaving them vulnerable to attack or compromise.”
For years, GAO has warned of weaknesses in federal cybersecurity systems, but in this report the watchdog agency noted that even as reported attacks rose -- from 5,503 in 2006 to 41,776 in 2010 -- departments failed to act on recommendations.
"Early in my administration, we began updating our nation's cybersecurity programs and policies," President Obama said separately on Monday in declaring October National Cybersecurity Awareness Month.
"We developed a comprehensive plan that ensures a coordinated national response to major disruptive cyber events. This May, we also proposed to the Congress a plan to strengthen protection of our power grids, water systems, and other critical infrastructure."
Of the 24 major agencies and departments that GAO reviewed, including the Justice and Veterans Affairs departments, none had fully or effectively implemented a security program, according to the report.
“These shortcomings leave federal agencies vulnerable to external as well as internal threats,” the report concludes. “As long as agencies have not fully and effectively implemented their information security programs, including addressing the hundreds of recommendations that we and inspectors general have made, federal systems will remain at increased risk of attack or compromise.”
Among those shortcomings, many agencies have not trained personnel, monitored or fixed problems, or handled issues quickly enough.
The Senate sponsors of a bill designed to strengthen cybersecurity systems, including FISMA, said the report is a wake-up call for lawmakers and agencies alike.
"As the number of cyber-related attacks and information breaches continue to grow, it is disturbing that the Government Accountability Office found repeated weaknesses and vulnerabilities in the security of our federal information systems," said Sen. Thomas Carper, D-Del. "These findings are all the more troubling given that GAO has been telling us for some time that these are areas of vulnerability and must be addressed, yet we still haven't made enough progress in shoring up these obvious weaknesses.”
Carper joined the bill's other sponsors and top members of the Senate Homeland Security Committee, in calling for new legislation to close the gaps.
Homeland Security ranking member Susan Collins, R-Maine, said the stakes are too high for new fixes to languish without action.
"There is perhaps no greater vulnerability that Congress has yet to address through legislation than the insecurity of cyberspace," she said. "Today's report points out too many serious vulnerabilities.”
Among its changes, the Cybersecurity and Internet Freedom Act of 2011, introduced by Collins, Carper, and Homeland Security Chairman Joe Lieberman, ID-Conn., would give the Homeland Security Department more authority over cybersecurity.
Want to stay ahead of the curve? Sign up for National Journal’s AM & PM Must Reads. News and analysis to ensure you don’t miss a thing.
Leave a Comment