Hackers tried to breach federal networks more than 48,000 times in 2012, and those are just the ones agencies knew about and reported to the U.S. Computer Emergency Readiness Team (US-CERT), run by the Homeland Security Department.
These attacks against agencies, which reached an all-time high last year, come as the Government Accountability Office continues to find agencies are not prepared for this constantly growing cyber assault.
But it’s not just a matter of total incidents. It’s well known the variety of attacks and the sophistication of hackers also are increasing.
GAO found improper usage, malicious code, and unauthorized access were the most widely reported types of attacks across the government.
“This is why we’ve been designating information security as a high risk area since 1997 is because of agencies, I wouldn’t say their inability, but their lack of meaningful success in securing their systems and meeting many of the requirements for securing their systems,” said Greg Wilshusen, GAO’s director of information security issues, Thursday during a hearing on cybersecurity of the Senate Homeland Security and Governmental Affairs Committee.
GAO released a whole set of statistics about agency cybersecurity progress ahead of the Office of Management and Budget’s annual report to Congress on the government’s progress in implementing the Federal Information Security Management Act (FISMA).
Where’s the FISMA report?
In fact, Sen. Tom Coburn (R-Okla.), ranking member of the committee, said he was disappointed OMB didn’t release the FISMA report before the hearing.
“There’s no reason for it other than it shows significant criticism of our ability to manage critical information within the federal government,” he said. “I will apologize to them vociferously if, in fact, my assessment of that report [is wrong]. But not to put it out before this hearing is absolutely ridiculous because we all know, and GAO will testify today what we all know, is the status within our own government of how we are doing. It’s unfortunate that we’ve chosen not to have a critical piece of information that analyzes a report on us for this hearing.”
OMB typically releases the FISMA report in March, but there is no set date for when it comes out.
“The administration appreciates the importance of the FISMA report, and is working to provide it to Congress as expeditiously as possible,” an OMB spokeswoman said by email in response to Coburn’s criticism.
No matter when OMB finally releases the annual report, expected sometime in March, agency progress toward securing their systems will continue at a slow pace.
GAO found that not only did the number of incidents reported to U.S. CERT increase to more than 48,000 in 2012 from more than 42,000 in 2011, more than 41,000 in 2010 and almost 30,000 in 2009, but what agencies are doing about those attacks is lacking.
Auditors say 19 of 24 major federal agencies reported that information security control deficiencies were either a material weakness or significant deficiency in internal controls over financial reporting.
Further, inspectors general at 22 of 24 agencies cited information security as a major management challenge for their agency.
GAO also found that most of the 24 major agencies had information security weaknesses in most of five key control categories:
Implementing agencywide information security management programs that are critical to identifying control deficiencies
Resolving problems and managing risks on an ongoing basis
Limiting, preventing and detecting inappropriate access to computer resources
Managing the configuration of software and hardware
Segregating duties to ensure that a single individual does not control all key aspects of a computer-related operation
Planning for continuity of operations in the event of a disaster or disruption.
“It’s not an easy job in terms of implementing effective security over time because the environment is constantly changing, new technologies are being implemented into the computing environment, the threats are becoming more sophisticated and business practices at changing,” Wilshusen said. “But at the same time, agencies need to implement the appropriate processes to assess their risk and, then based on that risk, select the appropriate controls to cost-effectively reduce those risks to an acceptable level, and then ensure those controls are effectively implemented, tested and assure they remain appropriate.”
While much of the hearing focused on the Cyber Executive Order President Obama issued last month, the desire to update FISMA crept into the discussion. The Senate’s comprehensive cybersecurity bill that failed last session included an update to the 10-year-old FISMA law. The House also passed a separate bill to revise FISMA, but the Senate didn’t consider the legislation.
Coburn expressed concern whether DHS has the authorities needed to oversee federal networks and whether the new cyber executive order would overwhelm them.
DHS Secretary Janet Napolitano said the agency is well suited to continue with both roles, but it does need some legislative help.
“I think some FISMA reform, which would move us out of the paperwork generation and into the digital age would be very helpful,” she said. “The ability to do hiring equivalency to the sorts of hiring the National Security Agency could do because realize in this realm, civilian capacity needs to be enhanced because we are going to manage most of this through civilian capacities with some utilization of the NSA. We already have those arrangements made, but on that personnel side we will need legislative assistance.”
Napolitano added DHS has worked hard over the last few years to improve its management of cyber and address the challenges it faced over the years in terms of both people and capabilities.
U.S. CERT busier than ever
One example of DHS’s progress is that U.S. CERT issued more than 7,455 actionable cyber-alerts in 2012 that were used by private sector and agencies to protect their systems, and had more than 6,400 partners subscribe to the U.S. CERT portal to share information and receive cyber threat warning information.
Napolitano said the department’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) also responded to 177 incidents last year while completing 89 site assistance visits and deploying 15 teams with U.S. CERT to respond to significant private sector cyber incidents.
Lawmakers at the hearing, which was a joint hearing with the Commerce, Science and Transportation Committee, also wanted to know how DHS would implement the executive order.
Sen. Tom Carper (D-Del.), chairman of the Homeland Security and Governmental Affairs Committee, said the EO helps move the ball forward to protect critical infrastructure, but legislation still is needed. He said many of the barriers that stopped the bill last session seem to have been addressed over the last few months.
“I think we’ve moved a long ways. You all have moved a long ways and I think in smart ways. Dr. Coburn has suggested there still are some concerns about liability protection. My understanding on the information sharing side, it’s not so much an issue any more. I think there may be bipartisan agreement to punitive damages and maybe general damages,” Carper said. “I think there are some questions about liability protection on the critical infrastructure side, should it be punitive? Should it be more than punitive? But there’s been a whole lot of movement as I see it from the administration and from a bi-partisan group of us in the Senate to meet the legitimate concerns that were raised.”