Data securityGAO: poor security procedures put sensitive government data at risk

A recently released Government Accountability Office (GAO) report found that poor information security practices at U.S. government agencies have put sensitive data and servers at risk.

“Federal agencies’ information and information systems remain at risk,” the report concluded. “This risk is illustrated in part by the rising numbers of incidents reported by federal agencies in fiscal year 2010. At the same time, weaknesses in their information security policies and practices compromised their efforts to protect against threats.”

Over the past five years, reports of security incidents from federal agencies have increased over 650 percent. In 2006, there were a total of 5,503 incidents reported to U.S.–CERT while in 2010 that number had skyrocketed to 41,776.

Reported incidents included denial of service, malicious code, unauthorized access, and attempted access, scans, and probes.

Moreover, each of the twenty-four agencies audited had vulnerabilities in its information security controls largely as a result of not fully implementing security programs mandated under a 2002 law.

For instance, eighteen agencies had difficulty in identifying and authenticating information system users, while at least seven had such weak authentication practices that they could increase vulnerability to unauthorized use of their information systems.

“Without adequate access controls in place, agencies cannot ensure that their information resources are protected from intentional or unintentional harm,” the report stated.

Meanwhile, sixteen agencies did not adequately monitor networks for suspicious activities or report security incidents that had been detected.

In the past year alone, GAO auditors found several notable data breaches that included an incident where one user was tricked into opening an email that took them to a website which ultimately allowed hackers to steal sensitive personal information. The employee eventually found out that several credit cards had been opened in his name and large amounts of pet supplies had been ordered without his knowledge.

In another incident, a contractor at a federal agency sent an unencrypted email from his workstation to his personal e-mail account. The action was detected and resulted in an investigation which revealed that several agency personnel had their personal information sent in an unencrypted e-mail to an unauthorized account.

The report stated that “as long as agencies have not fully and effectively implemented their information security programs, including addressing the hundreds of recommendations that we and inspectors general have made, federal systems will remain at increased risk of attack or compromise.”

To secure these vulnerabilities, the report recommended that agencies move more quickly to implement information security guidelines outlined by the Federal Information Security Management Act (FISMA) of 2002.

More specifically, to help expedite the process and guarantee compliance, GAO recommended that the “Director of OMB provide performance targets for metrics included in OMB’s annual FISMA reporting instructions to agencies and inspectors general.”

“There is perhaps no greater vulnerability that Congress has yet to address through legislation than the insecurity of cyberspace,” said Senator Susan Collins (R – Maine) in response to the report. “We must fortify the government’s efforts to safeguard its own cyber networks from attack and build a public/private partnership to promote stronger national cyber-security.”