Pervasive and sustained cyber attacks against the United States could have a potentially devastating impact on federal and nonfederal systems, disrupting the operations of governments and businesses and the lives of private individuals.
The increasing dependency upon information technology systems and networked operations pervades nearly every aspect of our society. While bringing significant benefits, this dependency can also create vulnerabilities to cyber-based threats. Underscoring the importance of safeguarding critical information and information systems and weaknesses in such efforts, federal information security and protecting computerized systems supporting our nations critical infrastructure are designated a high-risk area.
Federal agencies have significant weaknesses in information security controls that continue to threaten the confidentiality, integrity, and availability of critical information and information systems used to support their operations, assets, and personnel. For example, in their performance and accountability reports and annual financial reports for fiscal year 2011, 18 of 24 major federal agenciesindicated that inadequate information security controls were either material weaknesses or significant deficiencies.
In addition, most major federal agencies have weaknesses in most of the five major categories of information system controls:
- access controls, which ensure that only authorized individuals can read, alter, or delete data;
- configuration management controls, which provide assurance that only authorized software programs are implemented;
- segregation of duties, which reduces the risk that one individual can independently perform inappropriate actions without detection;
- continuity of operations planning, which helps avoid significant disruptions in computer-dependent operations; and
- agencywide information security programs, which provide a framework for ensuring that risks are understood and that effective controls are selected and implemented.
Figure 1 shows the number of agencies that had vulnerabilities in these five information security control categories during fiscal year 2011.
Figure 1: Information Security Weaknesses at 24 Major Federal Agencies in Fiscal Year 2011
Critical infrastructures are systems and assets, whether physical or virtual, so vital to our nation that their incapacity or destruction would have a debilitating impact on national security, economic well-being, public health or safety, or any combination of these. Critical infrastructure includes, among other things, banking and financial institutions, telecommunications networks, and energy production and transmission facilities, most of which are owned by the private sector. As these critical infrastructures have become increasingly dependent on computer systems and networks, the interconnectivity between information systems, the Internet, and other infrastructures creates opportunities for attackers to disrupt critical systems, with potentially harmful effects.
The federal government has taken a number of steps aimed at addressing cyber threats to critical infrastructure. Despite the actions taken by several successive administrations and the executive branch agencies, significant challenges remain to enhancing the protection of cyber-reliant critical infrastructures, such as
- implementing actions recommended by the presidents cybersecurity policy review;
- updating the national strategy for securing the information and communications infrastructure;
- reassessing DHSs planning approach to critical infrastructure protection;
- strengthening public-private partnerships, particularly for information sharing;
- enhancing the national capability for cyber warning and analysis;
- addressing global aspects of cybersecurity and governance; and
- securing the modernized electricity grid, referred to as the smart grid.
GAO-12-666T, Apr 24, 2012
IT Supply Chain
GAO-12-361, Mar 23, 2012
GAO-12-137, Oct 3, 2011
GAO-11-865T, Jul 26, 2011
GAO-11-24, Oct 6, 2010
Federal Information Security
GAO-13-776, Sep 26, 2013
GAO-13-275, Apr 3, 2013
GAO-13-350, Mar 15, 2013
GAO-13-462T, Mar 7, 2013
GAO-13-187, Feb 14, 2013
GAO-13-155, Jan 25, 2013
GAO-13-63, Jan 22, 2013
GAO-12-757, Sep 18, 2012
GAO-12-816, Aug 31, 2012
GAO-12-696, Jul 19, 2012