From the U.S. Government Accountability Office, www.gao.gov Transcript for: IT Security of High-Impact Systems Description: Audio interview by GAO staff with Greg Wilshusen, Director, Information Technology Related GAO Work: GAO-16-501: Information Security: Agencies Need to Improve Controls over Selected High-Impact Systems Released: June 2016 [ Background Music ] [ Narrator: ] Welcome to GAO's Watchdog Report, your source for news and information from the U.S. Government Accountability Office. It's June 2016. Of thousands of information technology systems that the federal government uses, some systems are categorized as high impact. These are systems that hold sensitive information which, if lost, could cause catastrophic harm to individuals, the government, and the nation. Greg Wilshusen, a director in GAO's Information Technology team, co-led a recent review of how agencies are identifying and protecting against threats to these systems. GAO's Jacques Arsenault sat down with Greg to talk about what they found. [ Jacques Arsenault: ] When you use the term high-impact systems, can you tell me the kinds of IT systems that we're talking about? [ Greg Wilshusen: ] Sure, these would be systems that process information that the loss of either the confidentiality, integrity, or availability of that information or the system would create a severe or catastrophic impact on the agency. And that can result in, for example, a major loss of financial resources, it could result in major damage to assets, or it could even cause the loss of life or serious injury to the organization's personnel. [ Jacques Arsenault: ] So could you give me some examples of what these systems might be? [ Greg Wilshusen: ] Well, for one, for example, is as you may know, is the OPM system that was breached last year. That was also a high-impact system, in part because of the type of information it contained, but also since the compromise of the confidentiality of that information is resulting and had has resulted in a major financial loss. [ Jacques Arsenault: ] And so, how many of these systems overall does the government have and how do they designate them? [ Greg Wilshusen: ] Okay. Well these are designated as high-impact systems and there are 912 such systems as reported by the 24 CFO Act agencies, and that is out of a total of about 9,700 systems. So it comprises about 9 percent of all federal systems for these agencies. [ Jacques Arsenault: ] So that's a lot of data to protect. What are agencies doing to identify threats or protecting systems? [ Greg Wilshusen: ] Well, they have a number of sources from which to identify these threats. These include, for example, the US-CERT, or the Computer Emergency Readiness Team, in the Department of Homeland Security which provides technical alerts on threats and known incidents that are presently occurring. In addition, agencies identified information from the National Institute of Standards and Technology database on common vulnerabilities and exposures. [ Jacques Arsenault: ] And so the threats would include some of the things that we've heard about or hacking into systems? [ Greg Wilshusen: ] Most definitely. Agencies reported that the most serious and prevalent threats that they face are phishing and spear phishing attacks and these are attacks that tend to use deceit in order to entice someone to provide sensitive information. And they also include credential-based attacks such as password cracking or guessing someone's password and reusing it. Agencies identified that the most common vector or means that these attacks occur are through email and websites, which is not surprising since that's how many users actually communicate in their normal course of their business. And the most prevalent threat actors or sources of threats are those that relate to nations as well as malicious insiders and external parties that may not be known to the agency. [ Jacques Arsenault: ] Okay, well then let me ask you, what's the federal government doing to protect these systems against these kinds of threats? [ Greg Wilshusen: ] Well, federal agencies, particularly like the National Institute of Standards and Technology, has developed a cyber security framework and it's an ongoing cycle of activities that agencies should follow in order to help protect against these threats. And they include, first of all, categorizing the impact of harm that could occur should a system be compromised, and then selecting the appropriate set of controls to protect at that level of risk. And, for example, the high impact systems have 83 specific unique controls that should be implemented for them in addition to all the controls that are needed for low- and moderate-impact systems. So there are a number of activities that agencies need to do and what we found that is the implementation of that has been inconsistent. [ Jacques Arsenault: ] Can you tell me a little more about that? It sounds like there's a lot of requirements for all systems, and then these 83 that you mentioned. Did you find out anything about how well agencies are doing to implement those? [ Greg Wilshusen: ] Well, yes we did. We actually went to four agencies and examined the security controls over two systems at each of those agencies. And we found that the agencies had implemented and developed and documented many controls to help protect those systems. But at the same time, several key controls were not being consistently implemented. And these include assessing the risks to include all types of threats and risks to those agencies or to those systems, updating their security plans which will be needed to identify the appropriate set of controls that should be implemented for those systems. And this is something that we have identified not only on this audit but other audits, is the inconsistent implementation of required controls. [ Jacques Arsenault: ] So it sounds like there's a lot that agencies are doing but plenty of more work that still needs to be done. What would you say is the bottom line of this report? [ Greg Wilshusen: ] Well, one is that federal agencies and their high-impact systems face numerous cyber security threats. And while there are guidance and initiatives that are available to agencies to help protect their systems against these threats, implementation has been inconsistent and more needs to be done to better protect the sensitive information on these systems. [ Background Music ] [Narrator:] To learn more, visit GAO.gov and be sure to tune in to the next episode of GAO's Watchdog Report for more from the congressional watchdog, the U.S. Government Accountability Office.