[ISN] GAO: Feds miss mark on security reporting
isn at c4i.org
Tue Jun 14 12:48:42 EDT 2005
By Florence Olsen
June. 13, 2005
Federal agencies need more detailed instructions to handle and report
computer security threats, such as phishing, spyware and hacking,
government auditors said in a report released today.
Government Accountability Office auditors have found that most federal
officials do not understand which computer security incidents they
should report or how and to whom they should report them, even though
such reporting is mandatory under the Federal Information Security
As a result, the Homeland Security Department's U.S. Computer
Emergency Readiness Team, which handles incident reporting, is unable
to coordinate and respond to cyberthreats that target multiple federal
To remedy the lack of accurate and comprehensive reporting, the
auditors recommended that Office of Management and Budget officials
increase their oversight of agencies' efforts to detect, report and
respond to emerging cybersecurity threats.
The report identifies the perpetrators of such threats as hackers,
insiders, phishers, spammers and botnet operators. Botnet operators
control computers infected with "bot" viruses, which the operators use
in denial-of-service attacks against targeted Web sites.
The auditors also asked OMB officials, in coordination with DHS
cybersecurity experts and the U.S. attorney general, to develop
governmentwide guidelines on how to deal with such threats and how to
report them to DHS and law enforcement agencies.
In their response to the report, OMB officials agreed to expand their
FISMA reporting requirements to include agencies' response to emerging
threats. They also plan to issue a document this summer that will
define computer incident terms and clarify the roles and
responsibilities of federal agencies for reporting computer security
The additional guidelines are needed, the auditors said, because most
agencies have not fully addressed the risks of new cybersecurity
threats as part of their agencywide information security programs.
More information about the ISN