GAO: Federal Incident Response is Erratic

Preliminary Analysis Shows Inconsistencies at Agencies

By , April 3, 2014.
GAO's Gregory Wilshusen testifies before a Senate panel.
GAO's Gregory Wilshusen testifies before a Senate panel.

A forthcoming report from the Government Accountability Office says that major U.S. federal government agencies, for the most part, failed to respond effectively to cyber-incidents.

See Also: Fighting Financial Fraud: Mitigation for Malware, Phishing & DDoS Attacks

Appearing April 2 before the Senate Homeland Security and Governmental Affairs Committee, GAO's Gregory Wilshusen said a preliminary assessment of a study of the effectiveness of government responses shows that the 24 major agencies did not consistently demonstrate adequate response in about 65 percent of reported incidents.

"Agencies identified the scope of incidents in the majority of cases, but did not always demonstrate that they had determined the impact of an incident," Wilshusen, GAO's director of information security issues, said in his prepared testimony. "In addition, agencies did not consistently demonstrate how they had handled other key activities, such as whether actions to prevent the recurrence of an incident were taken."

The number of information security incidents at federal agencies has grown dramatically in recent years, more than doubling from 2009 through 2013, according to a GAO analysis of U.S.-CERT statistics.

Call for More Oversight

Wilshusen said GAO also reviewed six selected agencies in greater depth and found that, while they had developed parts of policies, plans and procedures to guide incident response activities, their efforts were neither comprehensive nor fully consistent with federal requirements.

"The inconsistencies in agencies' incident response activities suggest that additional oversight, such as that provided by OMB and DHS during the CyberStat review process, may be warranted," he said. "However, these meetings generally have not covered agencies' incident response practices."

In CyberStat sessions, cybersecurity experts from the Department of Homeland Security, the White House Office of Management and Budget and the national security staff help agency IT security leaders develop actions plans to improve their information security posture.

Wilshusen said GAO observed that DHS provides various services to agencies to assist them in preparing to handle incidents, maintain awareness of the current threat environment, and deal with ongoing incidents addressing cyber-incidents. "However," he said, "opportunities exist to enhance the usefulness of these services, such as improving reporting requirements and evaluating the effectiveness of these services."

FTC Seeks Broad Authorities

Wilshusen's remarks came during a hearing on data breaches, where Federal Trade Commission Chairwoman Edith Ramirez said that the FTC should be given strong oversight authority in any federal breach notification bill Congress would enact.

Ramirez said Congress should let the FTC administer civil penalties to help ensure compliance and encourage investments in reasonable security measures to safeguard consumer information.

The FTC chair also said Congress should allow the commission to issue rules to enforce any national data breach law. "It is really critical that we provide the tools so that any legislation can be adapted to changing and evolving technology," Ramirez said. "Today, geolocation information is so readily available; a decade ago that was not the case. We need to adapt to changing times, both to be able, if necessary, to redefine what constitutes personal information. But, also perhaps, to list any requirements that no longer would be necessary."

Ramirez also said Congress should grant the FTC jurisdiction over not-for-profit organizations, such as universities and hospitals, in any data breach notification law. Hospitals and other healthcare organizations must comply with the federal HIPAA breach notification rule.

Lack of Consensus

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE FBI Seeks New Crop of Good-Guy Hackers

As it attempts to expand its roster of special agents with cybersecurity expertise, the FBI...

Latest Tweets and Mentions

ARTICLE FBI Seeks New Crop of Good-Guy Hackers

As it attempts to expand its roster of special agents with cybersecurity expertise, the FBI...

The ISMG Network