A majority of U.S. federal agencies appear to be unprepared to deal with emerging information-security threats such as spyware, phishing, and spam, according to a report released this week by the U.S. Government Accountability Office. Adding to the problem is a lack of guidance on what exactly government agencies need to report when it comes to these threats, as well as how and to whom they should report such incidents.
As a result, "the federal government is limited in its ability to identify and respond to emerging cybersecurity threats, including sophisticated and coordinated attacks that target multiple federal entities," the 79-page report warned.
The GAO report is based on input from security executives at 24 major federal agencies and discusses potential threats, reported agency perception to these threats and efforts to address them.
According to the GAO, spam, phishing, and spyware all pose potent and growing threats to the integrity of federal information systems. Phishing scams, for instance, can result in identity theft and loss of confidential information, the GAO said, adding that several agencies--including the FBI and the Internal Revenue Service--had already fallen victim to phishers.
Similarly, spyware programs threaten the integrity of federal systems because of their ability to monitor and reconfigure the systems they infect, the report said. "The blending of these threats creates additional risks that cannot be easily mitigated with currently available tools," the GAO said.
Work Yet to Start
Even so, a majority of the agencies have not yet begun addressing these threats as part of the information security programs they are required to implement under the Federal Information Security Management Act of 2002.
In many instances, spyware, phishing, and spam are not even considered security threats. For example, 19 of the 24 agencies reported productivity and bandwidth-related issues resulting from spam e-mail, while only one agency identified it as a potential security problem. Similarly, 17 of the 24 agencies reported that they had not assessed the risk posed to their networks by phishing. And reports provided by 20 agencies showed that all of those agencies lack a formal incident response plan for dealing with phishing and spyware.
There was also little consistency in the way agencies report problems. Some reported them to the Department of Homeland Security's U.S. Computer Emergency Readiness Team, as required, while others reported incidents to law enforcement agencies. Still others did not report incidents outside their agencies at all. Neither the Office of Management and Budget nor the Department of Homeland Security--the entities responsible for coordinating the government's response to cyberthreats--has issued guidelines spelling out when and how to escalate incidents of emerging threats to the US-CERT, the GAO said.
The GAO recommended that the OMB and the DHS establish agency guidelines for dealing with emerging cyberthreats and how to report any incident.
The GAO also noted that the OMB is currently working with the US-CERT to develop formal guidelines and a common set of terms and reporting procedures that federal entities can use to report incidents involving new and emerging cyberthreats. That document is expected to be published this summer.
This story, "Federal Study Says U.S. Agencies Not Prepared to Fight Cyberthreats" was originally published by Computerworld.