A majority of federal agencies appear to be unprepared to deal with emerging information security threats such as spyware, phishing and spam, according to a report released Monday by the U.S. Government Accountability Office (GAO). Adding to the problem is a lack of guidance on what exactly government agencies need to report when it comes to these threats, as well as how and to whom they should report such incidents.
As a result, "the federal government is limited in its ability to identify and respond to emerging cybersecurity threats, including sophisticated and coordinated attacks that target multiple federal entities," the 79-page report warned.
The GAO report is based on input from security executives at 24 major federal agencies and discusses potential threats, reported agency perception to these threats and efforts to address them.
According to the GAO, spam, phishing and spyware all pose potent and growing threats to the integrity of federal information systems. Phishing scams, for instance, can result in identity theft and loss of confidential information, the GAO said, adding that several agencies -- including the FBI and the Internal Revenue Service -- had already fallen victim to phishers.
Similarly, spyware programs threaten the integrity of federal systems because of their ability to monitor and reconfigure the systems they infect, the report said. "The blending of these threats creates additional risks that cannot be easily mitigated with currently available tools," the GAO said.
Even so, a majority of the agencies have not yet begun addressing these threats as part of the information security programs they are required to implement under the Federal Information Security Management Act of 2002.
In many instances, spyware, phishing and spam are not even considered security threats. For example, 19 of the 24 agencies reported productivity and bandwidth-related issues resulting from spam e-mail, while only one agency identified it as a potential security problem. Similarly, 17 of the 24 agencies reported that they had not assessed the risk posed to their networks by phishing. And reports provided by 20 agencies showed that all of those agencies lack a formal incident response plan for dealing with phishing and spyware.
There was also little consistency in the way agencies report problems. Some reported them to the Department of Homeland Security's U.S. Computer Emergency Readiness Team (US-CERT), as required, while others reported incidents to law enforcement agencies. Still others did not report incidents outside their agencies at all. Neither the Office of Management and Budget nor the Department of Homeland Security -- the entities responsible for coordinating the government's response to cyberthreats -- has issued guidelines spelling out when and how to escalate incidents of emerging threats to the US-CERT, the GAO said.
The GAO recommended that the OMB and the DHS establish agency guidelines for dealing with emerging cyberthreats and how to report any incident.
The GAO also noted that the OMB is currently working with the US-CERT to develop formal guidelines and a common set of terms and reporting procedures that federal entities can use to report incidents involving new and emerging cyberthreats. That document is expected to be published this summer.
Alan Paller, director of research at the SANS Institute, a Washington, D.C.-based security information center, said it is up to the GAO to help agencies prioritize security issues.
The "GAO can always find fault with agencies for not reporting the latest security problem," he said. "But as an 'accountability' office, GAO has the responsibility to know what matters and to ensure its reviewers do not ask agencies to do so many things that they lose track of the critical ones."
The GAO and entities such as the Federal CIO Council need to tell agencies which security issues matter most so they don't waste security resources "writing reports and responding to audits about second- and third-order problems," he said.
Security guidelines included in documents such as the National Institute of Standards and Technology's (NIST) SP 800-53 also need to be broadened to include controls for emerging threats, said Michael Gibbons, vice president of Unisys Corp.'s federal sector security services practice.
"I haven't seen any controls that specifically deal with these sort of threats" in SP 800-53, said Gibbons, former chief of computer crime investigations at the FBI. "In theory, if you are following NIST policy and guidance you shouldn't have a lot of problems,"
John Pescatore, an analyst with Stamford, Conn.-based Gartner Inc., said the private sector is not very different from the government when it comes to emerging security threats. "If there was a GAO that looked at private companies, you would find the same thing," he said.
Complicating matters is the fact that several of the agencies are locked into long-term contracts with hardware and software suppliers and often don't have the flexibility to bring in new technology as needed, he said. "The bigger issue is this lack of knowledge or a way for agencies to report incidents across government. The GAO has found the mandates are there but the processes to make them work are not."