Pervasive and sustained cyber attacks against the United States could have a potentially devastating impact on federal and nonfederal systems, disrupting the operations of governments and businesses and the lives of private individuals.
The increasing dependency upon information technology systems and networked operations pervades nearly every aspect of our society. While bringing significant benefits, this dependency can also create vulnerabilities to cyber-based threats. Underscoring the importance of safeguarding critical information and information systems and weaknesses in such efforts, federal information security and protecting computerized systems supporting our nations critical infrastructure are designated a high-risk area.
Federal agencies have significant weaknesses in information security controls that continue to threaten the confidentiality, integrity, and availability of critical information and information systems used to support their operations, assets, and personnel. For example, in their performance and accountability reports and annual financial reports for fiscal year 2011, 18 of 24 major federal agenciesindicated that inadequate information security controls were either material weaknesses or significant deficiencies.
In addition, most major federal agencies have weaknesses in most of the five major categories of information system controls:
- access controls, which ensure that only authorized individuals can read, alter, or delete data;
- configuration management controls, which provide assurance that only authorized software programs are implemented;
- segregation of duties, which reduces the risk that one individual can independently perform inappropriate actions without detection;
- continuity of operations planning, which helps avoid significant disruptions in computer-dependent operations; and
- agencywide information security programs, which provide a framework for ensuring that risks are understood and that effective controls are selected and implemented.
Figure 1 shows the number of agencies that had vulnerabilities in these five information security control categories during fiscal year 2011.
Figure 1: Information Security Weaknesses at 24 Major Federal Agencies in Fiscal Year 2011
Critical infrastructures are systems and assets, whether physical or virtual, so vital to our nation that their incapacity or destruction would have a debilitating impact on national security, economic well-being, public health or safety, or any combination of these. Critical infrastructure includes, among other things, banking and financial institutions, telecommunications networks, and energy production and transmission facilities, most of which are owned by the private sector. As these critical infrastructures have become increasingly dependent on computer systems and networks, the interconnectivity between information systems, the Internet, and other infrastructures creates opportunities for attackers to disrupt critical systems, with potentially harmful effects.
The federal government has taken a number of steps aimed at addressing cyber threats to critical infrastructure. Despite the actions taken by several successive administrations and the executive branch agencies, significant challenges remain to enhancing the protection of cyber-reliant critical infrastructures, such as
- implementing actions recommended by the presidents cybersecurity policy review;
- updating the national strategy for securing the information and communications infrastructure;
- reassessing DHSs planning approach to critical infrastructure protection;
- strengthening public-private partnerships, particularly for information sharing;
- enhancing the national capability for cyber warning and analysis;
- addressing global aspects of cybersecurity and governance; and
- securing the modernized electricity grid, referred to as the smart grid.
GAO-12-666T: Published: Apr 24, 2012. Publicly Released: Apr 24, 2012.
GAO-12-361: Published: Mar 23, 2012. Publicly Released: Mar 23, 2012.
GAO-12-137: Published: Oct 3, 2011. Publicly Released: Oct 3, 2011.
GAO-11-865T: Published: Jul 26, 2011. Publicly Released: Jul 26, 2011.
GAO-11-24: Published: Oct 6, 2010. Publicly Released: Oct 6, 2010.
GAO-15-6: Published: Dec 12, 2014. Publicly Released: Jan 12, 2015.
GAO-15-220T: Published: Nov 18, 2014. Publicly Released: Nov 18, 2014.
GAO-15-117: Published: Nov 13, 2014. Publicly Released: Nov 17, 2014.
GAO-14-871T: Published: Sep 18, 2014. Publicly Released: Sep 18, 2014.
GAO-14-730: Published: Sep 16, 2014. Publicly Released: Sep 16, 2014.
GAO-14-612: Published: Aug 8, 2014. Publicly Released: Sep 8, 2014.
GAO-14-674: Published: Jul 17, 2014. Publicly Released: Jul 17, 2014.
GAO-14-344: Published: Jun 25, 2014. Publicly Released: Jun 25, 2014.
GAO-14-459: Published: Jun 5, 2014. Publicly Released: Jun 5, 2014.
GAO-14-354: Published: Apr 30, 2014. Publicly Released: May 30, 2014.