This is the accessible text file for GAO report number GAO-12-666T entitled 'Cybersecurity: Threats Impacting the Nation' which was released on April 24, 2012. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Testimony: Before the Subcommittee on Oversight, Investigations, and Management, Committee on Homeland Security, House of Representatives: For Release on Delivery: Expected at 2:00 p.m. EDT: Tuesday, April 24, 2012: Cybersecurity: Threats Impacting the Nation: Statement of Gregory C. Wilshusen, Director: Information Security Issues: GAO-12-666T: GAO Highlights: Highlights of GAO-12-666T, a testimony before the Subcommittee on Oversight, Investigations, and Management, Committee on Homeland Security, House of Representatives. Why GAO Did This Study: Nearly every aspect of American society increasingly depends upon information technology systems and networks. This includes increasing computer interconnectivity, particularly through the widespread use of the Internet as a medium of communication and commerce. While providing significant benefits, this increased interconnectivity can also create vulnerabilities to cyber-based threats. Pervasive and sustained cyber attacks against the United States could have a potentially devastating impact on federal and nonfederal systems, disrupting the operations of governments and businesses and the lives of private individuals. Accordingly, GAO has designated federal information security as a governmentwide high-risk area since 1997, and in 2003 expanded it to include protecting systems and assets vital to the nation (referred to as critical infrastructures). GAO is providing a statement that describes (1) cyber threats facing the nation’s systems, (2) vulnerabilities present in federal information systems and systems supporting critical infrastructure, and (3) reported cyber incidents and their impacts. In preparing this statement, GAO relied on previously published work in these areas and reviewed more recent GAO, agency, and inspectors general work, as well as reports on security incidents. What GAO Found: The nation faces an evolving array of cyber-based threats arising from a variety of sources. These threats can be intentional or unintentional. Unintentional threats can be caused by software upgrades or defective equipment that inadvertently disrupt systems, and intentional threats can be both targeted and untargeted attacks from a variety of threat sources. Sources of threats include criminal groups, hackers, terrorists, organization insiders, and foreign nations engaged in crime, political activism, or espionage and information warfare. These threat sources vary in terms of the capabilities of the actors, their willingness to act, and their motives, which can include monetary gain or political advantage, among others. Moreover, potential threat actors have a variety of attack techniques at their disposal, which can adversely affect computers, software, a network, an organization’s operation, an industry, or the Internet itself. The nature of cyber attacks can vastly enhance their reach and impact due to the fact that attackers do not need to be physically close to their victims and can more easily remain anonymous, among other things. The magnitude of the threat is compounded by the ever-increasing sophistication of cyber attack techniques, such as attacks that may combine multiple techniques. Using these techniques, threat actors may target individuals, businesses, critical infrastructures, or government organizations. The threat posed by cyber attacks is heightened by vulnerabilities in federal systems and systems supporting critical infrastructure. Specifically, significant weaknesses in information security controls continue to threaten the confidentiality, integrity, and availability of critical information and information systems supporting the operations, assets, and personnel of federal government agencies. For example, 18 of 24 major federal agencies have reported inadequate information security controls for financial reporting for fiscal year 2011, and inspectors general at 22 of these agencies identified information security as a major management challenge for their agency. Moreover, GAO, agency, and inspector general assessments of information security controls during fiscal year 2011 revealed that most major agencies had weaknesses in most major categories of information system controls. In addition, GAO has identified vulnerabilities in systems that monitor and control sensitive processes and physical functions supporting the nation’s critical infrastructures. These and similar weaknesses can be exploited by threat actors, with potentially severe effects. The number of cybersecurity incidents reported by federal agencies continues to rise, and recent incidents illustrate that these pose serious risk. Over the past 6 years, the number of incidents reported by federal agencies to the federal information security incident center has increased by nearly 680 percent. These incidents include unauthorized access to systems; improper use of computing resources; and the installation of malicious software, among others. Reported attacks and unintentional incidents involving federal, private, and infrastructure systems demonstrate that the impact of a serious attack could be significant, including loss of personal or sensitive information, disruption or destruction of critical infrastructure, and damage to national and economic security. What GAO Recommends: GAO has previously made recommendations to resolve identified significant control deficiencies. View [hyperlink, http://www.gao.gov/products/GAO-12-666T]. For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. [End of section] Chairman McCaul, Ranking Member Keating, and Members of the Subcommittee: Thank you for the opportunity to testify at today's hearing on the cyber-based threats facing our nation. The increasing dependency upon information technology (IT) systems and networked operations pervades nearly every aspect of our society. In particular, increasing computer interconnectivity--most notably growth in the use of the Internet--has revolutionized the way that our government, our nation, and much of the world communicate and conduct business. While bringing significant benefits, this dependency can also create vulnerabilities to cyber-based threats. Pervasive and sustained cyber attacks against the United States could have a potentially devastating impact on federal and nonfederal systems and operations. In January 2012, the Director of National Intelligence testified that such threats pose a critical national and economic security concern.[Footnote 1] These growing and evolving threats can potentially affect all segments of our society--individuals; private businesses; local, state, and federal governments; and other entities. Underscoring the importance of this issue, we have designated federal information security as a high-risk area since 1997 and in 2003 expanded this area to include protecting computerized systems supporting our nation's critical infrastructure.[Footnote 2] In my testimony today, I will describe (1) cyber threats facing the nation's systems, (2) vulnerabilities present in federal systems and systems supporting critical infrastructure,[Footnote 3] and (3) reported cyber incidents and their impacts. In preparing this statement in April 2012, we relied on our previous work in these areas. (Please see the related GAO products in appendix I.) These products contain detailed overviews of the scope and methodology we used. We also reviewed more recent agency, inspector general, and GAO assessments of security vulnerabilities at federal agencies and information on security incidents from the U.S. Computer Emergency Readiness Team (US-CERT), media reports, and other publicly available sources. The work on which this statement is based was conducted in accordance with generally accepted government auditing standards. Those standards require that we plan and perform audits to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provided a reasonable basis for our findings and conclusions based on our audit objectives. Background: As computer technology has advanced, both government and private entities have become increasingly dependent on computerized information systems to carry out operations and to process, maintain, and report essential information. Public and private organizations rely on computer systems to transmit sensitive and proprietary information, develop and maintain intellectual capital, conduct operations, process business transactions, transfer funds, and deliver services. In addition, the Internet has grown increasingly important to American business and consumers, serving as a medium for hundreds of billions of dollars of commerce each year, as well as developing into an extended information and communications infrastructure supporting vital services such as power distribution, health care, law enforcement, and national defense. Consequently, the security of these systems and networks is essential to protecting national and economic security, public health and safety, and the flow of commerce. Conversely, ineffective information security controls can result in significant risks, including: * loss or theft of resources, such as federal payments and collections; * inappropriate access to and disclosure, modification, or destruction of sensitive information, such as national security information, personal taxpayer information, or proprietary business information; * disruption of critical operations supporting critical infrastructure, national defense, or emergency services; * undermining of agency missions due to embarrassing incidents that erode the public's confidence in government; and: * use of computer resources for unauthorized purposes or to launch attacks on other computers systems. The Nation Faces an Evolving Array of Cyber-Based Threats: Cyber-based threats are evolving and growing and arise from a wide array of sources. These threats can be unintentional or intentional. Unintentional threats can be caused by software upgrades or defective equipment that inadvertently disrupt systems. Intentional threats include both targeted and untargeted attacks from a variety of sources, including criminal groups, hackers, disgruntled employees, foreign nations engaged in espionage and information warfare, and terrorists. These threat sources vary in terms of the capabilities of the actors, their willingness to act, and their motives, which can include monetary gain or political advantage, among others. Table 1 shows common sources of cyber threats. Table 1: Sources of Cybersecurity Threats: Threat source: Bot-network operators; Description: Bot-net operators use a network, or bot-net, of compromised, remotely controlled systems to coordinate attacks and to distribute phishing schemes, spam, and malware attacks. The services of these networks are sometimes made available on underground markets (e.g., purchasing a denial-of-service attack or services to relay spam or phishing attacks). Threat source: Criminal groups; Description: Criminal groups seek to attack systems for monetary gain. Specifically, organized criminal groups use spam, phishing, and spyware/malware to commit identity theft, online fraud, and computer extortion. International corporate spies and criminal organizations also pose a threat to the United States through their ability to conduct industrial espionage and large-scale monetary theft and to hire or develop hacker talent. Threat source: Hackers; Description: Hackers break into networks for the thrill of the challenge, bragging rights in the hacker community, revenge, stalking, monetary gain, and political activism, among other reasons. While gaining unauthorized access once required a fair amount of skill or computer knowledge, hackers can now download attack scripts and protocols from the Internet and launch them against victim sites. Thus, while attack tools have become more sophisticated, they have also become easier to use. According to the Central Intelligence Agency, the large majority of hackers do not have the requisite expertise to threaten difficult targets such as critical U.S. networks. Nevertheless, the worldwide population of hackers poses a relatively high threat of an isolated or brief disruption causing serious damage. Threat source: Insiders; Description: The disgruntled organization insider is a principal source of computer crime. Insiders may not need a great deal of knowledge about computer intrusions because their knowledge of a target system often allows them to gain unrestricted access to cause damage to the system or to steal system data. The insider threat includes contractors hired by the organization, as well as careless or poorly trained employees who may inadvertently introduce malware into systems. Threat source: Nations; Description: Nations use cyber tools as part of their information- gathering and espionage activities. In addition, several nations are aggressively working to develop information warfare doctrine, programs, and capabilities. Such capabilities enable a single entity to have a significant and serious impact by disrupting the supply, communications, and economic infrastructures that support military power--impacts that could affect the daily lives of citizens across the country. In his January 2012 testimony, the Director of National Intelligence stated that, among state actors, China and Russia are of particular concern. Threat source: Phishers; Description: Individuals or small groups execute phishing schemes in an attempt to steal identities or information for monetary gain. Phishers may also use spam and spyware or malware to accomplish their objectives. Threat source: Spammers; Description: Individuals or organizations distribute unsolicited e- mail with hidden or false information in order to sell products, conduct phishing schemes, distribute spyware or malware, or attack organizations (e.g., a denial of service). Threat source: Spyware or malware authors; Description: Individuals or organizations with malicious intent carry out attacks against users by producing and distributing spyware and malware. Several destructive computer viruses and worms have harmed files and hard drives, including the Melissa Macro Virus, the Explore.Zip worm, the CIH (Chernobyl) Virus, Nimda, Code Red, Slammer, and Blaster. Threat source: Terrorists; Description: Terrorists seek to destroy, incapacitate, or exploit critical infrastructures in order to threaten national security, cause mass casualties, weaken the economy, and damage public morale and confidence. Terrorists may use phishing schemes or spyware/malware in order to generate funds or gather sensitive information. Source: GAO analysis based on data from the Director of National Intelligence, Department of Justice, Central Intelligence Agency, and the Software Engineering Institute's CERT® Coordination Center. [End of table] These sources of cyber threats make use of various techniques, or exploits, that may adversely affect computers, software, a network, an organization's operation, an industry, or the Internet itself. Table 2 provides descriptions of common types of cyber exploits. Table 2: Types of Cyber Exploits: Type of exploit: Cross-site scripting; Description: An attack that uses third-party web resources to run script within the victim's web browser or scriptable application. This occurs when a browser visits a malicious website or clicks a malicious link. The most dangerous consequences occur when this method is used to exploit additional vulnerabilities that may permit an attacker to steal cookies (data exchanged between a web server and a browser), log key strokes, capture screen shots, discover and collect network information, and remotely access and control the victim's machine. Type of exploit: Denial-of-service; Description: An attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources. Type of exploit: Distributed denial-of-service; Description: A variant of the denial-of-service attack that uses numerous hosts to perform the attack. Type of exploit: Logic bombs; Description: A piece of programming code intentionally inserted into a software system that will cause a malicious function to occur when one or more specified conditions are met. Type of exploit: Phishing; Description: A digital form of social engineering that uses authentic- looking, but fake, e-mails to request information from users or direct them to a fake website that requests information. Type of exploit: Passive wiretapping; Description: The monitoring or recording of data, such as passwords transmitted in clear text, while they are being transmitted over a communications link. This is done without altering or affecting the data. Type of exploit: Structured Query Language (SQL) injection; Description: An attack that involves the alteration of a database search in a web-based application, which can be used to obtain unauthorized access to sensitive information in a database. Type of exploit: Trojan horse; Description: A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms by, for example, masquerading as a useful program that a user would likely execute. Type of exploit: Virus; Description: A computer program that can copy itself and infect a computer without the permission or knowledge of the user. A virus might corrupt or delete data on a computer, use e-mail programs to spread itself to other computers, or even erase everything on a hard disk. Unlike a computer worm, a virus requires human involvement (usually unwitting) to propagate. Type of exploit: War driving; Description: The method of driving through cities and neighborhoods with a wireless-equipped computer--sometimes with a powerful antenna-- searching for unsecured wireless networks. Type of exploit: Worm; Description: A self-replicating, self-propagating, self-contained program that uses network mechanisms to spread itself. Unlike computer viruses, worms do not require human involvement to propagate. Type of exploit: Zero-day exploit; Description: An exploit that takes advantage of a security vulnerability previously unknown to the general public. In many cases, the exploit code is written by the same person who discovered the vulnerability. By writing an exploit for the previously unknown vulnerability, the attacker creates a potent threat since the compressed timeframe between public discoveries of both makes it difficult to defend against. Source: GAO analysis of data from the National Institute of Standards and Technology, United States Computer Emergency Readiness Team, and industry reports. [End of table] The unique nature of cyber-based attacks can vastly enhance their reach and impact. For example, cyber attackers do not need to be physically close to their victims, technology allows attacks to easily cross state and national borders, attacks can be carried out at high speed and directed at a number of victims simultaneously, and cyber attackers can more easily remain anonymous. Moreover, the use of these and other techniques is becoming more sophisticated, with attackers using multiple or "blended" approaches that combine two or more techniques. Using these techniques, threat actors may target individuals, resulting in loss of privacy or identity theft; businesses, resulting in the compromise of proprietary information or intellectual capital; critical infrastructures, resulting in their disruption or destruction; or government agencies, resulting in the loss of sensitive information and damage to economic and national security. Systems Supporting Federal Operations and Critical Infrastructure Are Vulnerable to Cyber Attacks: Significant weaknesses in information security controls continue to threaten the confidentiality, integrity, and availability of critical information and information systems used to support the operations, assets, and personnel of federal agencies. For example, in their performance and accountability reports and annual financial reports for fiscal year 2011, 18 of 24 major federal agencies[Footnote 4] indicated that inadequate information security controls were either material weaknesses or significant deficiencies[Footnote 5] for financial reporting purposes. In addition, inspectors general at 22 of the major agencies identified information security or information system control as a major management challenge for their agency. Agency, inspectors general, and GAO assessments of information security controls during fiscal year 2011 revealed that most major federal agencies had weaknesses in most of the five major categories of information system controls: (1) access controls, which ensure that only authorized individuals can read, alter, or delete data; (2) configuration management controls, which provide assurance that only authorized software programs are implemented; (3) segregation of duties, which reduces the risk that one individual can independently perform inappropriate actions without detection; (4) continuity of operations planning, which helps avoid significant disruptions in computer-dependent operations; and (5) agencywide information security programs, which provide a framework for ensuring that risks are understood and that effective controls are selected and implemented. Figure 1 shows the number of agencies that had vulnerabilities in these five information security control categories. Figure 1: Information Security Weaknesses at 24 Major Federal Agencies in Fiscal Year 2011: [Refer to PDF for image: vertical bar graph] Access control: Number of Agencies: 24. Configuration management: Number of Agencies: 22. Segregation of duties: Number of Agencies: 14. Contingency planning: Number of Agencies: 17. Security management: Number of Agencies: 23. Source: GAO analysis of agency, inspectors general, and GAO reports. [End of figure] Over the past several years, we and agency inspectors general have made hundreds of recommendations to resolve similar previously identified significant control deficiencies. We have also recommended that agencies fully implement comprehensive, agencywide information security programs, including by correcting weaknesses in specific areas of their programs. The effective implementation of these recommendations will strengthen the security posture at these agencies. In addition, securing the control systems that monitor and control sensitive processes and physical functions supporting many of our nation's critical infrastructures is a national priority, and we have identified vulnerabilities in these systems. For example, in September 2007, we reported that critical infrastructure control systems faced increasing risks due to cyber threats, system vulnerabilities, and the serious potential impact of possible attacks.[Footnote 6] Specifically, we determined that critical infrastructure owners faced both technical and organizational challenges to securing control systems, such as limited processing capabilities and developing compelling business cases for investing in control systems security, among others. We further identified federal initiatives under way to help secure these control systems, but noted that more needed to be done to coordinate these efforts and address shortfalls. We made recommendations to the Department of Homeland Security to develop a strategy for coordinating control systems security efforts and enhance information sharing with relevant stakeholders. Since this report, the department formed the Industrial Control Systems Cyber Emergency Response Team to provide industrial control system stakeholders with situational awareness and analytical support to effectively manage risk. In addition, it has taken several actions, such as developing a catalog of recommended security practices for control systems, developing a cybersecurity evaluation tool that allows asset owners to assess their control systems and overall security posture, and collaborating with others to promote control standards and system security. We have not evaluated these activities to assess their effectiveness in improving the security of control systems against cyber threats. In May 2008, we reported that the Tennessee Valley Authority's (TVA) corporate network contained security weaknesses that could lead to the disruption of control systems networks and devices connected to that network.[Footnote 7] We made 19 recommendations to improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures and 73 recommendations to address weaknesses in information security controls. TVA concurred with the recommendations and has taken steps to implement them. In addition to those present in federal systems and systems supporting critical infrastructure, vulnerabilities in mobile computing devices used by individuals or organizations may provide openings to cyber threats. For example, consumers and federal agencies are increasing their use of mobile devices to communicate and access services over the Internet. The use of these devices offers many benefits including ease of sending and checking messages and remotely accessing information online; however, it can also introduce information security risks if not properly protected. We have ongoing work to determine (1) what common security threats and vulnerabilities affect generally available cellphones, smartphones, and tablets; (2) what security features and practices have been identified to mitigate the risks associated with these vulnerabilities; and (3) the extent to which government and private entities are addressing security vulnerabilities of mobile devices. Number of Cybersecurity Incidents Reported by Federal Agencies Continues to Rise, and Recent Incidents Illustrate Serious Risk: Federal agencies have reported increasing numbers of security incidents that placed sensitive information at risk, with potentially serious impacts on federal operations, assets, and people. When incidents occur, agencies are to notify the federal information security incident center--US-CERT. Over the past 6 years, the number of incidents reported by federal agencies to US-CERT has increased from 5,503 incidents in fiscal year 2006 to 42,887 incidents in fiscal year 2011, an increase of nearly 680 percent (see figure 2).[Footnote 8] Figure 2: Incidents Reported to US-CERT: Fiscal Years 2006-2011: [Refer to PDF for image: vertical bar graph] Fiscal Year: 2006; Number of incidents reported: 5,503. Fiscal Year: 2007; Number of incidents reported: 11,911. Fiscal Year: 2008; Number of incidents reported: 16,843. Fiscal Year: 2009; Number of incidents reported: 29,999. Fiscal Year: 2010; Number of incidents reported: 41,776. Fiscal Year: 2011; Number of incidents reported: 42,887. Source: GAO analysis of US-CERT data for fiscal year 2006-2011. [End of figure] Agencies reported the types of incidents and events based on US-CERT- defined categories. As indicated in figure 3, the two most prevalent types of incidents and events reported to US-CERT during fiscal year 2011 were unconfirmed incidents under investigation and malicious code. Figure 3: Types of Incidents Reported to US-CERT in Fiscal Year 2011 by Category: [Refer to PDF for image: pie-chart] Investigation: 31%; Malicious code: 27%; Improper usage: 19%; Unauthorized access: 16%; Scans/probes/attempted access: 7%; Denial of service: 0%. Source: GAO analysis of US-CERT data for fiscal yea 2011. [End of figure] Reported attacks and unintentional incidents involving federal, private, and critical infrastructure systems demonstrate that the impact of a serious attack could be significant. These agencies and organizations have experienced a wide range of incidents involving data loss or theft, computer intrusions, and privacy breaches, underscoring the need for improved security practices. The following examples from news media and other public sources illustrate that a broad array of information and assets remain at risk. * In April 2012, hackers breached a server at the Utah Department of Health to access thousands of Medicaid records. Included in the breach were Medicaid recipients and clients of the Children's Health Insurance Plan. About 280,000 people had their Social Security numbers exposed. In addition, another 350,000 people listed in the eligibility inquiries may have had other sensitive data stolen, including names, birth dates, and addresses. * In March 2012, it was reported that a security breach at Global Payments, a firm that processed payments for Visa and Mastercard, could compromise the credit-and debit-card information of millions of Americans. Subsequent to the reported breach, the company's stock fell more than 9 percent before trading in its stock was halted. Visa also removed the company from its list of approved processors. * In February 2012, the inspector general at the National Aeronautics and Space Administration testified that an unencrypted notebook computer had been stolen from the agency in March 2011. The theft resulted in the loss of the algorithms used to command and control the International Space Station. * In March 2012, a news wire service reported that the senior commander of the North Atlantic Treaty Organization (NATO) had been the target of repeated cyber attacks using the social networking website Facebook that were believed to have originated in China. According to the article, hackers repeatedly tried to dupe those close to the commander by setting up fake Facebook accounts in his name in the hope that his acquaintances would make contact and answer private messages, potentially divulging sensitive information about the commander or themselves. * In March 2012, it was reported that Blue Cross Blue Shield of Tennessee paid out a settlement of $1.5 million to the U.S. Department of Health and Human Services arising from potential violations stemming from the theft of 57 unencrypted computer hard drives that contained protected health information of over 1 million individuals. * In January 2012, the Department of Commerce discovered that the computer network of the department's Economic Development Administration (EDA) was hit with a virus, forcing EDA to disable e- mail services and Internet access pending investigation into the cause and scope of the problem, which persisted for over 12 weeks. * In June 2011, a major bank reported that hackers had broken into its systems and gained access to the personal information of hundreds of thousands of customers. Through the bank's online banking system, the attackers were able to view certain private customer information. * Citi reissued over 200,000 cards after a May 2011 website breach. About 360,000 of its approximately 23.5 million North American card accounts were affected, resulting in the potential for misuse of cardholder personal information. * In April 2011, Sony disclosed that it suffered a massive breach in its video game online network that led to the theft of personal information, including the names, addresses, and possibly credit card data belonging to 77 million user accounts. * In February 2011, media reports stated that computer hackers had broken into and stolen proprietary information worth millions of dollars from the networks of six U.S. and European energy companies. * In July 2010, a sophisticated computer attack, known as Stuxnet, was discovered. It targeted control systems used to operate industrial processes in the energy, nuclear, and other critical sectors, reportedly causing physical damage. It is designed to exploit a combination of vulnerabilities to gain access to its target and modify code to change the process. * A retailer reported in May 2011 that it had suffered a breach of its customers' card data. The company discovered tampering with the personal identification number (PIN) pads at its checkout lanes in stores across 20 states. * In August 2006, two circulation pumps at Unit 3 of the Browns Ferry, Alabama, nuclear power plant failed, forcing the unit to be shut down manually. The failure of the pumps was traced to excessive traffic on the control system network, possibly caused by the failure of another control system device. These incidents illustrate the serious impact that cyber threats can have on federal agency operations, the operations of critical infrastructures, and the security of sensitive personal and financial information. In summary, the cyber-threats facing the nation are evolving and growing, with a wide array of potential threat actors having access to increasingly sophisticated techniques for exploiting system vulnerabilities. The danger posed by these threats is heightened by the weaknesses that continue to exist in federal information systems and systems supporting critical infrastructures. Ensuring the security of these systems is critical to avoiding potentially devastating impacts, including loss, disclosure, or modification of personal or sensitive information; disruption or destruction of critical infrastructure; and damage to our national and economic security. Chairman McCaul, Ranking Member Keating, and Members of the Subcommittee, this concludes my statement. I would be happy to answer any questions you have at this time. Contact and Acknowledgments: If you have any questions regarding this statement, please contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. Other key contributors to this statement include Michael Gilmore and Anjalique Lawrence (Assistant Directors), Kristi C. Dorsey, and Lee A. McCracken. [End of section] Appendix I: Related GAO Products: Management Report: Improvements Needed in SEC's Internal Controls and Accounting Procedures. [hyperlink, http://www.gao.gov/products/GAO-12-424R]. Washington, D.C.: April 13, 2012. IT Supply Chain: National Security-Related Agencies Need to Better Address Risks. [hyperlink, http://www.gao.gov/products/GAO-12-361]. Washington, D.C.: March 23, 2012. Information Security: IRS Needs to Further Enhance Internal Control over Financial Reporting and Taxpayer Data. [hyperlink, http://www.gao.gov/products/GAO-12-393]. Washington, D.C.: March 16, 2012. Cybersecurity: Challenges in Securing the Modernized Electricity Grid. [hyperlink, http://www.gao.gov/products/GAO-12-507T]. Washington, D.C.: February 28, 2012. Critical Infrastructure Protection: Cybersecurity Guidance Is Available, but More Can Be Done to Promote Its Use. [hyperlink, http://www.gao.gov/products/GAO-12-92]. Washington, D.C.: December 9, 2011. Cybersecurity Human Capital: Initiatives Need Better Planning and Coordination. [hyperlink, http://www.gao.gov/products/GAO-12-8]. Washington, D.C.: November 29, 2011. Information Security: Additional Guidance Needed to Address Cloud Computing Concerns. [hyperlink, http://www.gao.gov/products/GAO-12-130T]. Washington, D.C.: October 6, 2011. Information Security: Weaknesses Continue Amid New Federal Efforts to Implement Requirements. [hyperlink, http://www.gao.gov/products/GAO-12-137]. Washington, D.C.: October 3, 2011. Personal ID Verification: Agencies Should Set a Higher Priority on Using the Capabilities of Standardized Identification Cards. [hyperlink, http://www.gao.gov/products/GAO-11-751]. Washington, D.C.: September 20, 2011. Information Security: FDIC Has Made Progress, but Further Actions Are Needed to Protect Financial Data. [hyperlink, http://www.gao.gov/products/GAO-11-708]. Washington, D.C.: August 12, 2011. Cybersecurity: Continued Attention Needed to Protect Our Nation's Critical Infrastructure. [hyperlink, http://www.gao.gov/products/GAO-11-865T]. Washington, D.C.: July 26, 2011. Defense Department Cyber Efforts: DOD Faces Challenges in Its Cyber Activities. [hyperlink, http://www.gao.gov/products/GAO-11-75]. Washington, D.C.: July 25, 2011. Information Security: State Has Taken Steps to Implement a Continuous Monitoring Application, but Key Challenges Remain. [hyperlink, http://www.gao.gov/products/GAO-11-149]. Washington, D.C.: July 8, 2011. Social Media: Federal Agencies Need Policies and Procedures for Managing and Protecting Information They Access and Disseminate. [hyperlink, http://www.gao.gov/products/GAO-11-605]. Washington, D.C.: Jun 28, 2011. Cybersecurity: Continued Attention Needed to Protect Our Nation's Critical Infrastructure and Federal Information Systems. [hyperlink, http://www.gao.gov/products/GAO-11-463T]. Washington, D.C.: March 16, 2011. High-Risk Series: An Update. [hyperlink, http://www.gao.gov/products/GAO-11-278]. Washington, D.C.: February 2011. Electricity Grid Modernization: Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to be Addressed. [hyperlink, http://www.gao.gov/products/GAO-11-117]. Washington, D.C.: January 12, 2011. Information Security: Federal Agencies Have Taken Steps to Secure Wireless Networks, but Further Actions Can Mitigate Risk. [hyperlink, http://www.gao.gov/products/GAO-11-43]. Washington, D.C.: November 30, 2010. Cyberspace Policy: Executive Branch Is Making Progress Implementing 2009 Policy Review Recommendations, but Sustained Leadership Is Needed. [hyperlink, http://www.gao.gov/products/GAO-11-24]. Washington, D.C.: October 6, 2010. Information Security: Progress Made on Harmonizing Policies and Guidance for National Security and Non-National Security Systems. [hyperlink, http://www.gao.gov/products/GAO-10-916]. Washington, D.C.: September 15, 2010. Information Management: Challenges in Federal Agencies' Use of Web 2.0 Technologies. [hyperlink, http://www.gao.gov/products/GAO-10-872T]. Washington, D.C.: July 22, 2010. Critical Infrastructure Protection: Key Private and Public Cyber Expectations Need to Be Consistently Addressed. [hyperlink, http://www.gao.gov/products/GAO-10-628]. Washington, D.C.: July 15, 2010. Cyberspace: United States Faces Challenges in Addressing Global Cybersecurity and Governance. [hyperlink, http://www.gao.gov/products/GAO-10-606]. Washington, D.C.: July 2, 2010. Cybersecurity: Continued Attention Is Needed to Protect Federal Information Systems from Evolving Threats. [hyperlink, http://www.gao.gov/products/GAO-10-834T]. Washington, D.C.: June 16, 2010. Cybersecurity: Key Challenges Need to Be Addressed to Improve Research and Development. [hyperlink, http://www.gao.gov/products/GAO-10-466]. Washington, D.C.: June 3, 2010. Information Security: Federal Guidance Needed to Address Control Issues with Implementing Cloud Computing. [hyperlink, http://www.gao.gov/products/GAO-10-513]. Washington, D.C.: May 27, 2010. Information Security: Agencies Need to Implement Federal Desktop Core Configuration Requirements. [hyperlink, http://www.gao.gov/products/GAO-10-202]. Washington, D.C.: March 12, 2010. Information Security: Concerted Effort Needed to Consolidate and Secure Internet Connections at Federal Agencies. [hyperlink, http://www.gao.gov/products/GAO-10-237]. Washington, D.C.: March 12, 2010. Cybersecurity: Progress Made but Challenges Remain in Defining and Coordinating the Comprehensive National Initiative. [hyperlink, http://www.gao.gov/products/GAO-10-338]. Washington, D.C.: March 5, 2010. National Cybersecurity Strategy: Key Improvements Are Needed to Strengthen the Nation's Posture. [hyperlink, http://www.gao.gov/products/GAO-09-432T]. Washington, D.C.: March 10, 2009. Information Security: TVA Needs to Address Weaknesses in Control Systems and Networks. [hyperlink, http://www.gao.gov/products/GAO-08-526]. Washington, D.C.: May 21, 2008. Critical Infrastructure Protection: Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain. [hyperlink, http://www.gao.gov/products/GAO-07-1036]. Washington, D.C.: September 10, 2007. [End of section] Footnotes: [1] James R. Clapper, Director of National Intelligence, Unclassified Statement for the Record on the Worldwide Threat Assessment of the US Intelligence Community for the Senate Select Committee on Intelligence (January 31, 2012). [2] See, most recently, GAO, High-Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-11-278] (Washington, D.C.: February 2011). [3] Critical infrastructures are systems and assets, whether physical or virtual, so vital to our nation that their incapacity or destruction would have a debilitating impact on national security, economic well-being, public health or safety, or any combination of these. [4] The 24 major departments and agencies are the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Justice, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, National Science Foundation, Nuclear Regulatory Commission, Office of Personnel Management, Small Business Administration, Social Security Administration, and U.S. Agency for International Development. [5] A material weakness is a deficiency, or a combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected on a timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. [6] GAO, Critical Infrastructure Protection: Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain, [hyperlink, http://www.gao.gov/products/GAO-07-1036] (Washington, D.C.: Sept. 10, 2007). [7] GAO, Information Security: TVA Needs to Address Weaknesses in Control Systems and Networks, [hyperlink, http://www.gao.gov/products/GAO-08-526] (Washington, D.C.: May 21, 2008). [8] According to US-CERT, the growth in the number of incidents is attributable, in part, to agencies improving detection and reporting of security incidents on their respective networks. [End of section] GAO’s Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO’s website [hyperlink, http://www.gao.gov]. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to [hyperlink, http://www.gao.gov] and select “E- mail Updates.” Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO: Connect with GAO on facebook, flickr, twitter, and YouTube. Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts. Visit GAO on the web at [hyperlink, http://www.gao.gov]. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; E-mail: fraudnet@gao.gov; Automated answering system: (800) 424-5454 or (202) 512-7470. Congressional Relations: Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-4400 U.S. Government Accountability Office, 441 G Street NW, Room 7125 Washington, DC 20548. Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548.