GAO Says Govt. Agencies Aren’t Handling Malware Threats Effectively

While offices’ perceptions of cyber-threats vary, a few entities within the federal govt. and private sector are at work on consumer outreach and prevention initiatives to head off the emerging dangers. But similar efforts aren’t being made to assist and educate federal agencies, GAO said. FISMA lays out data security measures, including risk assessments, implementing effective mitigating controls, providing security awareness training and ensuring that incident-response plans and procedures address these threats.

Although govt. officials are required to report incidents to a central federal entity, they aren’t reporting emerging cybersecurity threats with any consistency, the report said. Under FISMA, the Office of Management & Budget (OMB) and the Homeland Security Dept. (DHS) share responsibility for the federal capability to detect, analyze and respond to cybersecurity incidents. As of March, neither OMB nor DHS’s U.S. Computer Emergency Readiness Team (US-CERT) had issued guidance on processes and procedures for reporting incidents of phishing, spyware or other malware threats. The most recent guidance came in Oct. 2000, prior to the US-CERT’s creation. Without effective coordination, the govt. has limited ability to flag and respond to emerging cybersecurity threats, GAO said.

Of 24 agencies examined, 19 identified non-security effects from spam, including reduced system performance and the cost of filtering e-mail, and 14 reported that spam consumes network bandwidth used to transmit messages or consumes disk storage used to store messages. A single agency identified the risk from spam as a means of delivering phishing, spyware and other threats, GAO said. While 14 of 24 agencies reported that phishing had limited or no effect on their systems and operations, 2 indicated they were unaware of any phishing scams specifically targeting their employees; 6 named a number of effects, including increased need for help desk support and compromised credit card accounts. Five agencies said spyware minimally affected their systems and operations, while 11 noted that spyware cut productivity or upped use of help desk support. Of the remaining 4 agencies that reported spyware effects, 2 noted decreased ability to utilize agency systems. The GAO study investigation found that 17 of the 24 agencies haven’t assessed the risk that the agency name or the name of any of its components or divisions could be exploited in a phishing scam. Several agencies said existing enterprise tools for use against emerging cybersecurity threats are immature and impede efforts to detect, prevent, remove and analyze incidents.

Agency officials admitted employee awareness is a grave problem. Among agencies surveyed, 13 said they have or plan to implement phishing awareness training this fiscal year, 3 reported plans to implement training in the future and 3 have no plans to implement phishing awareness training. Administrators said they send memos to alert employees to incidents and risks and have provided general information on how to detect and report suspicious e-mail or activity characteristic of threats, GAO said. An audit of agencies’ incident-response plans found that while they mainly address malicious code threats, none fully cover phishing or spyware.

Agency comments on the report draft generally agreed with GAO’s findings, officials said. OMB’s Office of Information & Regulatory Affairs and Office of General Counsel supplied more information on federal efforts to address cyber threats. Regarding GAO’s first recommendation, OMB stressed that the agencies have the primary responsibility for complying with FISMA requirements but indicated the office would incorporate emerging cybersecurity threats and new technological issues into its annual review of agency information security programs. OMB also plans to consider whether the programs adequately address emerging issues before approving them. The report’s 2nd recommendation is being addressed in theory by a concept of operations and taxonomy for incident reporting that it’s developing with US-CERT, officials said. That document is set for release later this summer. The National Institute of Standards & Technology is drafting a guide that includes a taxonomy of malware, incident prevention and response options to assist agencies in improving system and network security.

The report’s thrust didn’t surprise security experts. “We've always been saying that there needs to be increased awareness, not just in the private sector,” said Greg Garcia, vp-information security at ITAA. “The government needs to lead by example.” He said GAO’s recommendation for coordination led by OMB and DHS “came a half-step short” of what ITAA would like to see. His group supports the creation of a senior level govt. position that would oversee cybersecurity across agencies and departments. “When you have someone at that level or higher whose managing it… you'll get more consciousness raising. If you have a name and face for a cybersecurity agenda, that someone uses the bully pulpit and can jawbone greater cybersecurity across government.”

Computer & Communications Industry Assn. (CCIA) Pres. Ed Black echoed Garcia. “The report seems to indicate that the federal government’s efforts in this area are not very impressive and they are lagging way behind what they should be doing,” he said: “They don’t provide a good example, they show a lack of coordination and a lack of prioritization. All in all, it’s pretty discouraging.” He said most in the information security field see the “massive risks and potentially serious consequences” of govt. not “getting its own house in order… It’s disappointing and almost unbelievable that this many years after the recognition of the seriousness of threats in this area that the preparation and the planning is at such a poor state.” House Homeland Security Committee Ranking Democrat Rep. Thompson (Miss.) told us it doesn’t make sense that govt. computers are just as -- or even more vulnerable than -- home computers. He said DHS should be taking the lead in developing a coordinated and thoughtful approach to cyber attacks. “The Administration needs to get its act together so DHS doesn’t remain a weak link in our fight against cyberterrorists and criminals committing ID theft,” Thompson said.