Pervasive and sustained cyber attacks against the United States could have a potentially devastating impact on federal and nonfederal systems, disrupting the operations of governments and businesses and the lives of private individuals.
The increasing dependency upon information technology systems and networked operations pervades nearly every aspect of our society. While bringing significant benefits, this dependency can also create vulnerabilities to cyber-based threats. Underscoring the importance of safeguarding critical information and information systems and weaknesses in such efforts, federal information security and protecting computerized systems supporting our nation’s critical infrastructure are designated a high-risk area.
Federal agencies have significant weaknesses in information security controls that continue to threaten the confidentiality, integrity, and availability of critical information and information systems used to support their operations, assets, and personnel. For example, in their performance and accountability reports and annual financial reports for fiscal year 2014, 17 of 24 major federal agencies indicated that inadequate information security controls were either material weaknesses or significant deficiencies.
In addition, most major federal agencies have weaknesses in most of the five major categories of information system controls:
- access controls, which ensure that only authorized individuals can read, alter, or delete data;
- configuration management controls, which provide assurance that only authorized software programs are implemented;
- segregation of duties, which reduces the risk that one individual can independently perform inappropriate actions without detection;
- continuity of operations planning, which helps avoid significant disruptions in computer-dependent operations; and
- agencywide information security programs, which provide a framework for ensuring that risks are understood and that effective controls are selected and implemented.
Figure 1 shows the number of agencies that had vulnerabilities in these five information security control categories during fiscal year 2014.
Figure 1: Information Security Weaknesses at 24 Major Federal Agencies in Fiscal Year 2014
Critical infrastructures are systems and assets, whether physical or virtual, so vital to our nation that their incapacity or destruction would have a debilitating impact on national security, economic well-being or public health or safety. Critical infrastructure includes, among other things, banking and financial institutions, telecommunications networks, and energy production and transmission facilities, most of which are owned by the private sector. As these critical infrastructures have become increasingly dependent on computer systems and networks, the interconnectivity between information systems, the Internet, and other infrastructures creates opportunities for attackers to disrupt critical systems, with potentially harmful effects.
The federal government has taken a number of steps aimed at addressing cyber threats to critical infrastructure. Despite the actions taken by several successive administrations and the executive branch agencies, significant challenges remain to enhancing the protection of cyber-reliant critical infrastructures, such as
- implementing a strategy to address cyber risks to federal building and access control systems;
- improving federal efforts to implement cybersecurity in the maritime port environment; and
- enhancing cybersecurity for air traffic control systems.
Other challenges that need to be addressed include
- developing and implementing procedures to help protect national security-related agencies’ systems from information technology (IT) supply chain risk;
- enhancing the oversight of contractors providing IT services;
- improving security incident response practices;
- implementing security programs at small agencies;
- implementing programs to protect the privacy of personally identifiable information (PII) and responding to breaches of PII; and
- protecting the privacy of mobile device location data.
GAO-15-221: Published: Jan 29, 2015. Publicly Released: Mar 2, 2015.
GAO-15-6: Published: Dec 12, 2014. Publicly Released: Jan 12, 2015.
GAO-14-354: Published: Apr 30, 2014. Publicly Released: May 30, 2014.
GAO-14-34: Published: Dec 9, 2013. Publicly Released: Jan 8, 2014.
GAO-13-187: Published: Feb 14, 2013. Publicly Released: Feb 14, 2013.
GAO-16-359: Published: May 17, 2016. Publicly Released: May 17, 2016.
GAO-16-493: Published: Apr 28, 2016. Publicly Released: Apr 28, 2016.
GAO-16-590T: Published: Apr 14, 2016. Publicly Released: Apr 14, 2016.
GAO-16-589T: Published: Apr 12, 2016. Publicly Released: Apr 12, 2016.
GAO-16-398: Published: Mar 28, 2016. Publicly Released: Mar 28, 2016.
GAO-16-350: Published: Mar 24, 2016. Publicly Released: Apr 25, 2016.
GAO-16-265: Published: Mar 23, 2016. Publicly Released: Mar 23, 2016.
GAO-16-294: Published: Jan 28, 2016. Publicly Released: Jan 28, 2016.
GAO-16-152: Published: Dec 17, 2015. Publicly Released: Dec 17, 2015.
GAO-16-79: Published: Nov 19, 2015. Publicly Released: Nov 19, 2015.