The Government Accountability Office has looked at the growing number of cybersecurity threats facing our nation. And it’s no small number. The GAO says the increase in cyber attack reported to CERT in the last 6 years has grown by 782%. There were 5,500 incidents in 2006, last year there were 48,000.
So what is with the explosion of cyber-attacks and how is the federal government arming itself?
Gregory Wilshusen is the Director of Information Security Issues at the GAO. He is also the main author of the GAO’s report: National Strategy, Roles, and Responsibilities Need to Be Better Defined and More Effectively Implemented.
“It’s not the requirement of an agency to eliminate risk, but to manage it,” said Wilshusen.
He told Chris Dorobek on the DorobekINSIDER program that sophisticated attacks are growing and evolving.
“The cyber attacks are getting more sophisticated. They are advanced persistent threats that have high levels of expertise and resources at their command. Attackers also have endless patience. They are willing to try to gain access to agency systems and networks on a long-term basis,” said Wilshusen.
- Misconfiguration of existing devices: current devices are misused so security is weak. Many of these actions can be corrected with minimal new expenditures.
- Promoting Education: Getting a technically skilled workforce in place has been a big challenge for agencies for awhile. That’s not to say there aren’t qualified people out there working but when we reported on this issue last year, that was one area where agencies indicated they had the biggest challenge.
- Designing and Implementing Risk Based Security Programs: 19 out of 24 major federal agencies reported that their information security controls re either a significant deficiency or a material weakness for financial reporting purposes. 22 of 24 agencies cited information system controls as a major management challenge. GAO has had this issue on its High Risk list since 1997 and in 2003 we expanded that to include those systems supporting critical infrastructures.
- Establishing and Identifying Standards for Critical Infrastructures: Much of the critical infrastructures in this country (water supply, banking, electrical power) are owned and operated by the private sector. These different industries have different regulations and it varies to which extent those industries have cyber standards that are defined or even in place.
Why Are Risk Based Programs Difficult?
“It’s hard to do because it is some parts quantitative and some qualitative. Assessing risks is one of the fundamental steps when you are creating an information security program,” said Wilshusen.
- Look at the technologies you have
- Look at the threat facing particular agencies.
- Then based on the threats and the controls available to mitigate against those threats you can assess the security of your controls to find vulnerabilities.
- Once you identify vulnerabilities you have to look at the impact of a threat actor. That threat is usually expressed in terms of whether or not the confidentiality integrity of that information is compromised and/or the availability of that information may be denied to me when I need it.
“After considering those factors of threat, vulnerability and impact you have to form this conclusion as to what are the appropriate levels of controls and how does the agency implement those in a cost effective manner,” said Wilshusen.
Biggest Bang for the Cyber Buck
“The austerity we are living with now is giving rise to the importance of being able to assess your risk and then to prioritize controls and mitigation strategies you need to implement. You have to cost effectively reduce your risk.
Impact of Emerging Technologies
“We are in a constantly changing environment. So you have trade-offs. Businesses and agencies are also adding new technologies all the time like cloud computing or mobile devices. Something the implementation of these devices preceds the development of effective security controls over those technologies. So while those newer technologies can provide a lot of benefits, if the security is not appropriately considered and implemented it can introduce risk to the organization,” said Wilshusen.
“Key reason for performance measures is to able to assess whether or not the strategy or control is having the intended benefit,” said Wilshusen.
- Many of the federal government strategy documents don’t but should include some key desirable characteristics:
- Performance measures
- Clearly defined roles of the actors
- Milestones for certain activities to be completed
- Clearly defined cost and resources that are necessary to implement strategies
- How the different strategies link together
Want More GovLoop Content? Sign Up For Email Updates