Protecting the Federal Government's Information Systems and Nation's Cyber Critical Infrastructures
As computer technology has advanced, federal agencies and our nation's critical infrastructures-such as power distribution, water supply, telecommunications, and emergency services have become increasingly dependent on computerized information systems and electronic data to carry out operations and to process, maintain, and report essential information. The security of these systems and data is essential to protecting national and economic security, and public health and safety. Safeguarding federal computer systems and the systems that support critical infrastructuresreferred to as cyber critical infrastructure protection (cyber CIP)is a continuing concern. Federal information security has been on GAO's list of high-risk areas since 1997; in 2003, GAO expanded this high-risk area to include cyber CIP. Risks to information and communication systems include insider threats from disaffected or careless employees and business partners, escalating and emerging threats from around the globe, the ease of obtaining and using hacking tools, the steady advance in the sophistication of attack technology, and the emergence of new and more destructive attacks.
Cyber threats and incidents are increasingly prevalent. Threats to systems supporting critical infrastructure and government information systems are evolving and growing. These threats come from a variety of sources and vary in terms of the types and capabilities of the actors, their willingness to act, and their motives. For example, advanced persistent threatswhere adversaries possess sophisticated levels of expertise and significant resources to pursue their objectivespose increasing risks.
Cyber incidents affecting computer systems and networks continue to rise. Over the past 6 years, the number of cyber incidents reported by federal agencies to the U.S. Computer Emergency Readiness Team (US-CERT) has increased from 5,503 in fiscal year 2006 to 48,562 in fiscal year 2012, an increase of 782 percent (see fig. 4). In addition, reports of cyber incidents affecting national security, intellectual property, and individuals have been widespread, with reported incidents involving data loss or theft, economic loss, computer intrusions, and privacy breaches.
Figure 4: Incidents Reported to US-CERT, Fiscal Years 2006-2012
The federal government continues to face challenges in effectively implementing cybersecurity. GAO and agency inspector general reports have identified challenges in a number of key areas of the governments approach to cybersecurity, including those related to protecting the nations critical infrastructure. While actions have been taken to address aspects of these challenges, issues remain in each of following areas.
- Designing and implementing risk-based cybersecurity programs at federal agencies. Shortcomings persist in assessing risks, developing and implementing security controls, and monitoring results at federal agencies. Specifically, for fiscal year 2012, 19 of 24 major federal agencies reported that information security control deficiencies were either a material weakness or significant deficiency in internal controls over financial reporting. Further, inspectors general at 22 of 24 agencies cited information security as a major management challenge for their agency. Most of the 24 major agencies had information security weaknesses in most of five key control categories: limiting, preventing, and detecting inappropriate access to computer resources; managing the configuration of software and hardware; segregating duties to ensure that a single individual does not control all key aspects of a computer-related operation; planning for continuity of operations in the event of a disaster or disruption; and implementing agency-wide information security management programs that are critical to identifying control deficiencies, resolving problems, and managing risks on an ongoing basis (see fig. 5).
Figure 5: Information Security Weaknesses at Major Federal Agencies for Fiscal Year 2012
- Establishing and identifying standards for critical infrastructures. The Department of Homeland Security (DHS) and other agencies with responsibilities for specific critical infrastructure sectors have not yet identified cybersecurity guidance applicable to or widely used in each of the sectors. Moreover, sectors vary in the extent to which they are required by law or regulation to comply with specific cybersecurity requirements. Regarding regulatory jurisdiction in securing the U.S. electricity grid, experts GAO spoke with expressed concern that there was a lack of clarity in the division of responsibility between federal and state regulators, particularly regarding cybersecurity.
- Detecting, responding to, and mitigating cyber incidents. DHS has made incremental progress in coordinating the federal response to cyber incidents, but challenges remain in sharing information among federal agencies and key private sector entities, including critical infrastructure owners, as well as in developing a timely analysis and warning capability.
- Promoting education, awareness, and workforce planning. In November 2011, GAO reported that agencies leading strategic planning efforts for education and awareness, including the Department of Commerce, the Office of Management and Budget (OMB), the Office of Personnel Management, and DHS, had not developed details on how they were going to achieve planned outcomes and that the specific tasks and responsibilities were unclear.
- Promoting research and development (R&D). The goal of supporting targeted cyber R&D has been impeded by implementation challenges among federal agencies. For example, effectively targeting R&D initiatives has been hindered by limited sharing of detailed information about ongoing research, including the lack of a repository to track R&D projects and funding, as required by law.
- Managing risks to the global information technology supply chain. Reliance on a global supply chain for information technology products and services introduces risks to systems, and federal agencies have not always addressed these risks. Specifically, in March 2012, GAO reported that four national security-related agencies varied in the extent to which they had defined supply chain protection measures for their information systems and were not in a position to develop implementing procedures and monitoring capabilities for such measures.
- Addressing international cybersecurity challenges. While progress has been made in identifying the importance of international cooperation and assigning roles and responsibilities related to it, the governments approach to addressing international aspects of cybersecurity has not yet been completely defined and implemented.
Until the administration and executive branch agencies implement the hundreds of recommendations made by GAO and agency inspectors general to address cyber challenges, resolve identified deficiencies, and fully implement effective security programs, a broad array of federal assets and operations will remain at risk of fraud, misuse, and disruption, and the nations most critical federal and private sector infrastructure systems will remain at increased risk of attack from adversaries.
The government has issued a variety of strategy-related documents over the last decade, many of which address aspects of the above challenge areas. The documents address priorities for enhancing cybersecurity within the federal government as well as for encouraging improvements in the cybersecurity of critical infrastructure within the private sector. Since the February 2011 update to GAO's high-risk series, the administration has issued several strategies and planning documents to address aspects of national and federal cybersecurity. For example, in 2011, the administration issued the National Strategy For Trusted Identities In Cyberspace to outline a strategy to make online transactions more secure for business and consumers; the International Strategy for Cyberspace to lay out an approach to engage with international partners on a range of cyber issues and communicate our nations priorities and how to reduce the threats faced in cyberspace; and Trustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity Research and Development Program, to provide a set of coordinated research priorities that could result in a trustworthy cyberspace.
The administration has also taken steps to enhance various cybersecurity security capabilities. For example, in 2012, in coordination with experts from DHS and the Department of Defense, the National Institute of Standards and Technology, and OMB, it established agency performance goals and a tracking mechanism to monitor performance in three cross-agency priority areas for improving the cybersecurity capabilities of the federal government (see table 7).
Table 7: Descriptions of Priority Areas
Trusted Internet connections
Consolidate external telecommunication access points and establish a set of baseline security capabilities for situational awareness and enhanced monitoring.
Continuous monitoring of federal information systems
Transform static security control assessment and authorization process into a dynamic risk mitigation program that provides essential, near real-time security status and remediation.
Increase the use of federal smartcard credentials such as Personal Identity Verification and Common Access Cards that provide multi-factor authentication and digital signature and encryption capabilities.
Improving these capabilities is a step in the right direction and their effective implementation can enhance federal information security.
However, while these and other strategy documents have included certain characteristics of a comprehensive strategic approach that can enhance the usefulness of national strategies, such as setting goals and subordinate objectives, they generally lacked other key elements. These missing elements include:
- Milestones and performance measures. The governments strategy documents include few milestones or performance measures, making it difficult to track progress in accomplishing stated goals and objectives.
- Cost and resources. Past strategy documents linked certain activities to budget submissions; however, none have fully addressed cost and resources.
- Roles and responsibilities. Cybersecurity strategy documents have assigned high-level roles and responsibilities but have left important details unclear. For example, OMB and DHS roles and responsibilities for overseeing agencies information security programs have not been clearly defined.
- Linkage with other key strategy documents. Existing cybersecurity strategy documents vary in terms of priorities and structure, and they don't specify how they link to or supersede other documents, nor do they describe how they fit into the overall national cybersecurity strategy.
The many continuing cybersecurity challenges faced by the government highlight the need for a more clearly defined oversight process to ensure agencies are held accountable for implementing effective information security programs. Further, until an overarching national cybersecurity strategy is developed that addresses all key elements of desirable characteristics, overall progress in achieving the government's objectives is likely to remain limited.
The administration needs to prepare an overarching cybersecurity strategy that includes all desirable characteristics of a national strategy, including milestones and performance measures; cost, sources, and justification for needed resources; specific roles and responsibilities of federal organizations; guidance, where appropriate, regarding how this strategy relates to priorities, goals, and objectives stated in other national strategy documents; and demonstrate progress in implementing the strategies and achieving measureable and appropriate outcomes. The strategy should include a roadmap for making significant improvements in cybersecurity challenge areas listed above and better ensure that federal departments and agencies are held accountable for making significant improvements in those cybersecurity challenge areas.
Congress should also consider legislation to better define roles and responsibilities for implementing and overseeing federal information security programs and for protecting the nations critical cyber assets. For example, better defining roles and responsibilities for DHS and OMB oversight of federal information security.
Executive branch agencies, in particular DHS, also need to continue to enhance their cyber analytical and technical capabilities, expand oversight of federal agencies' implementation of information security, and demonstrate progress in strengthening the effectiveness of public-private sector partnerships in securing cyber critical infrastructures.
Agencies also need to (1) develop and implement remedial action plans for resolving known security deficiencies of government systems; (2) fully develop and effectively implement agency-wide information security programs, as required by the Federal Information Security Management Act of 2002; and (3) demonstrate measurable, sustained progress in improving security over federal systems. Such progress should include having the government-wide material weakness in information security upgraded to a significant deficiency for 2 consecutive years and reducing the factors that contribute to the significant deficiency, as reported by GAO in its annual audit of the financial statements for the United States government.