GAO says U.S. agencies unprepared to fight cyberthreats

Computerworld - A majority of federal agencies appear to be unprepared to deal with emerging information security threats such as spyware, phishing and spam, according to a report released Monday by the U.S. Government Accountability Office (GAO). Adding to the problem is a lack of guidance on what exactly government agencies need to report when it comes to these threats, as well as how and to whom they should report such incidents.
As a result, "the federal government is limited in its ability to identify and respond to emerging cybersecurity threats, including sophisticated and coordinated attacks that target multiple federal entities," the 79-page report warned.
The GAO report is based on input from security executives at 24 major federal agencies and discusses potential threats, reported agency perception to these threats and efforts to address them.
According to the GAO, spam, phishing and spyware all pose potent and growing threats to the integrity of federal information systems. Phishing scams, for instance, can result in identity theft and loss of confidential information, the GAO said, adding that several agencies -- including the FBI and the Internal Revenue Service -- had already fallen victim to phishers.
Similarly, spyware programs threaten the integrity of federal systems because of their ability to monitor and reconfigure the systems they infect, the report said. "The blending of these threats creates additional risks that cannot be easily mitigated with currently available tools," the GAO said.
Even so, a majority of the agencies have not yet begun addressing these threats as part of the information security programs they are required to implement under the Federal Information Security Management Act of 2002.
In many instances, spyware, phishing and spam are not even considered security threats. For example, 19 of the 24 agencies reported productivity and bandwidth-related issues resulting from spam e-mail, while only one agency identified it as a potential security problem. Similarly, 17 of the 24 agencies reported that they had not assessed the risk posed to their networks by phishing. And reports provided by 20 agencies showed that all of those agencies lack a formal incident response plan for dealing with phishing and spyware.
There was also little consistency in the way agencies report problems. Some reported them to the Department of Homeland Security's U.S. Computer Emergency Readiness Team (US-CERT), as required, while others reported incidents to law enforcement agencies. Still others did not report incidents outside their agencies at all. Neither the Office of Management and Budget nor the Department of Homeland Security -- the entities responsible for coordinating