Federal agencies are facing a set of emerging cybersecurity threats that are the result of increasingly sophisticated methods of attack and the blending of once distinct types of attack into more complex and damaging forms. Examples of these threats include spam (unsolicited commercial e-mail), phishing (fraudulent messages to obtain personal or sensitive data), and spyware (software that monitors user activity without user knowledge or consent). To address these issues, GAO was asked to determine (1) the potential risks to federal systems from these emerging cybersecurity threats, (2) the federal agencies' perceptions of risk and their actions to mitigate them, (3) federal and private-sector actions to address the threats on a national level, and (4) governmentwide challenges to protecting federal systems from these threats.
Recommendations for Executive Action
|Office of Management and Budget||In order to more effectively prepare for and address emerging cybersecurity threats, the Director, Office of Management and Budget, should ensure that agencies' information security programs required by FISMA address the risk of emerging cybersecurity threats such as spam, phishing, and spyware, including performing periodic risk assessments; implementing risk-based policies and procedures to mitigate identified risks; providing security-awareness training; and establishing procedures for detecting, reporting, and responding to incidents of emerging cybersecurity threats.|
|Office of Management and Budget||In order to more effectively prepare for and address emerging cybersecurity threats, the Director, Office of Management and Budget, should coordinate with the Secretary of Homeland Security and the Attorney General to establish governmentwide guidance for agencies on how to (1) address emerging cybersecurity threats and (2) report incidents to a single government entity, including clarifying the respective roles, responsibilities, processes, and procedures for federal entities--including homeland security and law enforcement.|