With the federal government reporting that cybersecurity attacks have increased by 782 percent from 2006 to 2012, the Government Accountability Office (GAO) urged the White House to develop a new federal cybersecurity strategy to protect government IT data and systems in a new report.
The GAO noted that the federal government doesn’t have an overarching cybersecurity plan that outlines priority actions, assigns responsibilities for performing them, and sets timeframes for completion.
“Until an overarching national cybersecurity strategy is developed that addresses all key elements of desirable characteristics, overall progress in achieving the government’s objectives is likely to remain limited,” the report said.
The White House responded to the GAO by agreeing that more needs to be done to develop a coherent and comprehensive strategy on cybersecurity, according to an email response quoted in the report. However, it suggested remaining flexible and focusing on achieving measurable improvements in cybersecurity would be more beneficial than developing “yet another strategy on top of existing strategies.”
The GAO highlighted nine of the most common cyber attacks in the report: bot-network operators, criminal groups, hackers, insiders, nations, phishers, spammers, spyware or malware authors and terrorists.
The most common cyber security attacks against the federal government in 2012 were the improper use of malicious code and unauthorized access. Improper usage accounted for 20 percent of total incidents reported by agencies. Reports of cyber-incidents affecting national security, intellectual property and individuals have been widespread and involve data loss or theft, economic loss, computer intrusions and privacy breaches.
The report also outlines five areas of cybersecurity that the government has addressed, but still remain a challenge:
- Designing and implementing risk-based federal and critical infrastructure programs
- Detecting, responding to and mitigating cyber-incidents
- Promoting education, awareness and workforce planning
- Promoting research and development
- Addressing international cybersecurity challenges
The GAO recommends the plan should address missing elements in the current national security strategy including milestones and performance measures, cost and resources, roles and responsibilities, and linkage with other key strategy documents. It should ensure that federal departments and agencies are held accountable for improvements in cybersecurity challenge areas, including designing and implementing risk-based programs; detecting, responding to, and mitigating cyber incidents; promoting education, awareness, and workforce planning; promoting R&D; and addressing international cybersecurity challenges.
Also, because roles and responsibilities regarding cybersecurity have been ambiguous, the GAO concluded Congress should “consider legislation to better define roles and responsibilities for implementing and overseeing federal information security programs and for protecting the nation’s critical cyber assets.”