Key Issues > Cybersecurity
information security icon, source: GAO

Cybersecurity

Pervasive and sustained cyber attacks against the United States could have a potentially devastating impact on federal and nonfederal systems, disrupting the operations of governments and businesses and the lives of private individuals.

  1. Share with Facebook 
  2. Share with Twitter 
  3. Share with LinkedIn 
  4. Share with mail 

The increasing dependency upon information technology systems and networked operations pervades nearly every aspect of our society. While bringing significant benefits, this dependency can also create vulnerabilities to cyber-based threats. Underscoring the importance of safeguarding critical information and information systems and weaknesses in such efforts, federal information security and protecting computerized systems supporting our nation’s critical infrastructure are designated a high-risk area.

Federal agencies have significant weaknesses in information security controls that continue to threaten the confidentiality, integrity, and availability of critical information and information systems used to support their operations, assets, and personnel. For example, in their performance and accountability reports and annual financial reports for fiscal year 2011, 18 of 24 major federal agenciesindicated that inadequate information security controls were either material weaknesses or significant deficiencies.

In addition, most major federal agencies have weaknesses in most of the five major categories of information system controls:

  • access controls, which ensure that only authorized individuals can read, alter, or delete data;
  • configuration management controls, which provide assurance that only authorized software programs are implemented;
  • segregation of duties, which reduces the risk that one individual can independently perform inappropriate actions without detection;
  • continuity of operations planning, which helps avoid significant disruptions in computer-dependent operations; and
  • agencywide information security programs, which provide a framework for ensuring that risks are understood and that effective controls are selected and implemented.

Figure 1 shows the number of agencies that had vulnerabilities in these five information security control categories during fiscal year 2011.

Figure 1: Information Security Weaknesses at 24 Major Federal Agencies in Fiscal Year 2011

Cybersecurity Figure 1

Critical infrastructures are systems and assets, whether physical or virtual, so vital to our nation that their incapacity or destruction would have a debilitating impact on national security, economic well-being, public health or safety, or any combination of these. Critical infrastructure includes, among other things, banking and financial institutions, telecommunications networks, and energy production and transmission facilities, most of which are owned by the private sector. As these critical infrastructures have become increasingly dependent on computer systems and networks, the interconnectivity between information systems, the Internet, and other infrastructures creates opportunities for attackers to disrupt critical systems, with potentially harmful effects.

The federal government has taken a number of steps aimed at addressing cyber threats to critical infrastructure. Despite the actions taken by several successive administrations and the executive branch agencies, significant challenges remain to enhancing the protection of cyber-reliant critical infrastructures, such as

  • implementing actions recommended by the president’s cybersecurity policy review;
  • updating the national strategy for securing the information and communications infrastructure;
  • reassessing DHS’s planning approach to critical infrastructure protection;
  • strengthening public-private partnerships, particularly for information sharing;
  • enhancing the national capability for cyber warning and analysis;
  • addressing global aspects of cybersecurity and governance; and
  • securing the modernized electricity grid, referred to as the “smart grid.”
Looking for our recommendations? Click on any report to find each associated recommendation and its current implementation status.

Cybersecurity:

Threats Impacting the Nation
GAO-12-666T:
Published: Apr 24, 2012. Publicly Released: Apr 24, 2012.

IT Supply Chain:

National Security-Related Agencies Need to Better Address Risks
GAO-12-361:
Published: Mar 23, 2012. Publicly Released: Mar 23, 2012.

Information Security:

Weaknesses Continue Amid New Federal Efforts to Implement Requirements
GAO-12-137:
Published: Oct 3, 2011. Publicly Released: Oct 3, 2011.

Cybersecurity:

Continued Attention Needed to Protect Our Nation's Critical Infrastructure
GAO-11-865T:
Published: Jul 26, 2011. Publicly Released: Jul 26, 2011.

Cyberspace Policy:

More Reports

Information Security:

FDIC Made Progress in Securing Key Financial Systems, but Weaknesses Remain
GAO-14-674:
Published: Jul 17, 2014. Publicly Released: Jul 17, 2014.

Information Security:

Additional Oversight Needed to Improve Programs at Small Agencies
GAO-14-344:
Published: Jun 25, 2014. Publicly Released: Jun 25, 2014.

Maritime Critical Infrastructure Protection:

DHS Needs to Better Address Port Cybersecurity
GAO-14-459:
Published: Jun 5, 2014. Publicly Released: Jun 5, 2014.

Information Security:

Agencies Need to Improve Cyber Incident Response Practices
GAO-14-354:
Published: Apr 30, 2014. Publicly Released: May 30, 2014.

Information Security:

SEC Needs to Improve Controls over Financial Systems and Data
GAO-14-419:
Published: Apr 17, 2014. Publicly Released: Apr 17, 2014.

Information Security:

IRS Needs to Address Control Weaknesses That Place Financial and Taxpayer Data at Risk
GAO-14-405:
Published: Apr 8, 2014. Publicly Released: Apr 8, 2014.

Information Security:

Federal Agencies Need to Enhance Responses to Data Breaches
GAO-14-487T:
Published: Apr 2, 2014. Publicly Released: Apr 2, 2014.

Information Security:

VA Needs to Address Long-Standing Challenges
GAO-14-469T:
Published: Mar 25, 2014. Publicly Released: Mar 25, 2014.

Critical Infrastructure Protection:

More Comprehensive Planning Would Enhance the Cybersecurity of Public Safety Entities' Emerging Technology
GAO-14-125:
Published: Jan 28, 2014. Publicly Released: Jan 28, 2014.

Information Security:

Agency Responses to Breaches of Personally Identifiable Information Need to Be More Consistent
GAO-14-34:
Published: Dec 9, 2013. Publicly Released: Jan 8, 2014.
More...

Videos

High Risk: Information Security
  • portrait of Gregory C. Wilshusen
    • Gregory C. Wilshusen
    • Director, Information Security Issues
    • wilshuseng@gao.gov
    • (202) 512-6244