[ISN] GAO: Agencies not adequately addressing emerging cybersecurity threats

InfoSec News isn at c4i.org
Wed Jun 15 02:03:47 EDT 2005

Forwarded from: William Knowles <wk at c4i.org>


By William Jackson 
GCN Staff

Federal cybersecurity programs run the risk of becoming static and
unresponsive in the face of emerging threats, according to the
findings of a study by the Government Accountability Office.

The study [1], titled "Emerging Cybersecurity Issues Threaten Federal
Information Systems," focused on three challenges that have evolved
rapidly in the last three years: spam, phishing and spyware. And the
Federal Information Security Management Act could become a Maginot
line against this blitzkrieg of new attacks.

"Many agencies have not fully addressed the risks of emerging
cybersecurity threats as part of their required agencywide information
security programs," GAO found.

Agencies are required to report all cybersecurity incidents, but there
is no governmentwide guidance on which incidents should be reported.  
The most recent guidance was issued in 2000, before the formation of
the U.S. Computer Emergency Readiness Team (US-CERT).

"Lacking the necessary guidance, agencies do not have a clear
understanding of which incidents they should be reporting, or how and
to whom they should report," GAO concluded.

As a result, government IT systems often remain exposed to
unrecognized threats. Some help may be on the way from the Office of
Management and Budget, charged with FISMA oversight, and the Homeland
Security Department.

OMB said it would begin incorporating new threats into its annual
agency FISMA reviews. Together with US-CERT, it is developing a
concept of operations and taxonomy for incident reporting, expected to
be released this summer.

Despite, or because of, the fact they are so common, spam, phishing
and spyware often are not perceived as security threats, GAO found.  
Only one of 24 major executive branch agencies surveyed recognized the
risk presented by spam for delivering malicious code or other attacks.  
Fourteen agencies reported that phishing had little or no impact,
despite the fact that the FBI, IRS and Federal Deposit Insurance Corp.  
have been targeted in phishing scams. Spyware was recognized as a
greater problem, with 11 agencies reporting some impact on
productivity caused by the intrusive programs.

Although a number of agencies have consumer awareness programs for
these threats, there are no programs to educate users within the

GAO recommended that: 

* Agencies include emerging threats in their required risk assessments 
  and planning required under FISMA, and 

* OMB, DHS and the attorney general develop guidelines for 
  comprehensive incident reporting

[1] http://www.gao.gov/new.items/d05231.pdf

"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
C4I.org - Computer Security, & Intelligence - http://www.c4i.org

More information about the ISN mailing list