Key Issues > Cybersecurity
information security icon, source: GAO


Pervasive and sustained cyber attacks against the United States could have a potentially devastating impact on federal and nonfederal systems, disrupting the operations of governments and businesses and the lives of private individuals.

  1. Share with Facebook 
  2. Share with Twitter 
  3. Share with LinkedIn 
  4. Share with mail 

The increasing dependency upon information technology systems and networked operations pervades nearly every aspect of our society. While bringing significant benefits, this dependency can also create vulnerabilities to cyber-based threats. Underscoring the importance of safeguarding critical information and information systems and weaknesses in such efforts, federal information security and protecting computerized systems supporting our nation’s critical infrastructure are designated a high-risk area.

Federal agencies have significant weaknesses in information security controls that continue to threaten the confidentiality, integrity, and availability of critical information and information systems used to support their operations, assets, and personnel. For example, in their performance and accountability reports and annual financial reports for fiscal year 2011, 18 of 24 major federal agenciesindicated that inadequate information security controls were either material weaknesses or significant deficiencies.

In addition, most major federal agencies have weaknesses in most of the five major categories of information system controls:

  • access controls, which ensure that only authorized individuals can read, alter, or delete data;
  • configuration management controls, which provide assurance that only authorized software programs are implemented;
  • segregation of duties, which reduces the risk that one individual can independently perform inappropriate actions without detection;
  • continuity of operations planning, which helps avoid significant disruptions in computer-dependent operations; and
  • agencywide information security programs, which provide a framework for ensuring that risks are understood and that effective controls are selected and implemented.

Figure 1 shows the number of agencies that had vulnerabilities in these five information security control categories during fiscal year 2011.

Figure 1: Information Security Weaknesses at 24 Major Federal Agencies in Fiscal Year 2011

Cybersecurity Figure 1

Critical infrastructures are systems and assets, whether physical or virtual, so vital to our nation that their incapacity or destruction would have a debilitating impact on national security, economic well-being, public health or safety, or any combination of these. Critical infrastructure includes, among other things, banking and financial institutions, telecommunications networks, and energy production and transmission facilities, most of which are owned by the private sector. As these critical infrastructures have become increasingly dependent on computer systems and networks, the interconnectivity between information systems, the Internet, and other infrastructures creates opportunities for attackers to disrupt critical systems, with potentially harmful effects.

The federal government has taken a number of steps aimed at addressing cyber threats to critical infrastructure. Despite the actions taken by several successive administrations and the executive branch agencies, significant challenges remain to enhancing the protection of cyber-reliant critical infrastructures, such as

  • implementing actions recommended by the president’s cybersecurity policy review;
  • updating the national strategy for securing the information and communications infrastructure;
  • reassessing DHS’s planning approach to critical infrastructure protection;
  • strengthening public-private partnerships, particularly for information sharing;
  • enhancing the national capability for cyber warning and analysis;
  • addressing global aspects of cybersecurity and governance; and
  • securing the modernized electricity grid, referred to as the “smart grid.”
Looking for our recommendations? Click on any report to find each associated recommendation and its current implementation status.


Threats Impacting the Nation
Published: Apr 24, 2012. Publicly Released: Apr 24, 2012.

IT Supply Chain:

National Security-Related Agencies Need to Better Address Risks
Published: Mar 23, 2012. Publicly Released: Mar 23, 2012.

Information Security:

Weaknesses Continue Amid New Federal Efforts to Implement Requirements
Published: Oct 3, 2011. Publicly Released: Oct 3, 2011.


Continued Attention Needed to Protect Our Nation's Critical Infrastructure
Published: Jul 26, 2011. Publicly Released: Jul 26, 2011.

Cyberspace Policy:

More Reports

Information Security and Privacy Controls Should Be Enhanced to Address Weaknesses
Published: Sep 18, 2014. Publicly Released: Sep 18, 2014.

Actions Needed to Address Weaknesses in Information Security and Privacy Controls
Published: Sep 16, 2014. Publicly Released: Sep 16, 2014.

Information Security:

Agencies Need to Improve Oversight of Contractor Controls
Published: Aug 8, 2014. Publicly Released: Sep 8, 2014.

Information Security:

FDIC Made Progress in Securing Key Financial Systems, but Weaknesses Remain
Published: Jul 17, 2014. Publicly Released: Jul 17, 2014.

Information Security:

Additional Oversight Needed to Improve Programs at Small Agencies
Published: Jun 25, 2014. Publicly Released: Jun 25, 2014.

Maritime Critical Infrastructure Protection:

DHS Needs to Better Address Port Cybersecurity
Published: Jun 5, 2014. Publicly Released: Jun 5, 2014.

Information Security:

Agencies Need to Improve Cyber Incident Response Practices
Published: Apr 30, 2014. Publicly Released: May 30, 2014.

Information Security:

SEC Needs to Improve Controls over Financial Systems and Data
Published: Apr 17, 2014. Publicly Released: Apr 17, 2014.

Information Security:

IRS Needs to Address Control Weaknesses That Place Financial and Taxpayer Data at Risk
Published: Apr 8, 2014. Publicly Released: Apr 8, 2014.

Information Security:

Federal Agencies Need to Enhance Responses to Data Breaches
Published: Apr 2, 2014. Publicly Released: Apr 2, 2014.


High Risk: Information Security
  • portrait of Gregory C. Wilshusen
    • Gregory C. Wilshusen
    • Director, Information Security Issues
    • (202) 512-6244