GAO: Federal Incident Response is ErraticPreliminary Analysis Shows Inconsistencies at Agencies
A forthcoming report from the Government Accountability Office says that major U.S. federal government agencies, for the most part, failed to respond effectively to cyber-incidents.
See Also: Data Center Security Study - The Results
Appearing April 2 before the Senate Homeland Security and Governmental Affairs Committee, GAO's Gregory Wilshusen said a preliminary assessment of a study of the effectiveness of government responses shows that the 24 major agencies did not consistently demonstrate adequate response in about 65 percent of reported incidents.
"Agencies identified the scope of incidents in the majority of cases, but did not always demonstrate that they had determined the impact of an incident," Wilshusen, GAO's director of information security issues, said in his prepared testimony. "In addition, agencies did not consistently demonstrate how they had handled other key activities, such as whether actions to prevent the recurrence of an incident were taken."
The number of information security incidents at federal agencies has grown dramatically in recent years, more than doubling from 2009 through 2013, according to a GAO analysis of U.S.-CERT statistics.
Call for More Oversight
Wilshusen said GAO also reviewed six selected agencies in greater depth and found that, while they had developed parts of policies, plans and procedures to guide incident response activities, their efforts were neither comprehensive nor fully consistent with federal requirements.
"The inconsistencies in agencies' incident response activities suggest that additional oversight, such as that provided by OMB and DHS during the CyberStat review process, may be warranted," he said. "However, these meetings generally have not covered agencies' incident response practices."
In CyberStat sessions, cybersecurity experts from the Department of Homeland Security, the White House Office of Management and Budget and the national security staff help agency IT security leaders develop actions plans to improve their information security posture.
Wilshusen said GAO observed that DHS provides various services to agencies to assist them in preparing to handle incidents, maintain awareness of the current threat environment, and deal with ongoing incidents addressing cyber-incidents. "However," he said, "opportunities exist to enhance the usefulness of these services, such as improving reporting requirements and evaluating the effectiveness of these services."
FTC Seeks Broad Authorities
Wilshusen's remarks came during a hearing on data breaches, where Federal Trade Commission Chairwoman Edith Ramirez said that the FTC should be given strong oversight authority in any federal breach notification bill Congress would enact.
Ramirez said Congress should let the FTC administer civil penalties to help ensure compliance and encourage investments in reasonable security measures to safeguard consumer information.
The FTC chair also said Congress should allow the commission to issue rules to enforce any national data breach law. "It is really critical that we provide the tools so that any legislation can be adapted to changing and evolving technology," Ramirez said. "Today, geolocation information is so readily available; a decade ago that was not the case. We need to adapt to changing times, both to be able, if necessary, to redefine what constitutes personal information. But, also perhaps, to list any requirements that no longer would be necessary."
Ramirez also said Congress should grant the FTC jurisdiction over not-for-profit organizations, such as universities and hospitals, in any data breach notification law. Hospitals and other healthcare organizations must comply with the federal HIPAA breach notification rule.
Lack of Consensus
With 46 states having their own breach notification laws, sentiment is strong among various constituencies for a national standard on breach notification, but there is no consensus yet on what details should be included (see Yet Another Data Breach Bill Introduced and Why U.S. Breach Notice Bill Won't Pass).
"I am encouraged that many of my colleagues share my interest in advancing our efforts to address data breaches," said Committee Chairman Tom Carper, D-Del., the sponsor of one of several data breach notification bills before Congress. "I hope we can embrace the 80-20 rule. That is - set aside the 20 percent that we can't agree on and focus on the 80 percent on which we can agree. It is in everyone's interest to ensure that we minimize the occurrence and impact of data breaches."
But the ranking member on the panel, Sen. Tom Coburn, R-Okla,, sounded cautious on the prospects of Congress enacting a data breach notification law. "I am open to legislation that would streamline data breach rules," he said. "However, we need to be careful to not be too prescriptive or punitive against companies."
And the chairman of the Financial Services Roundtable testified that the industry group has yet to decide whether it backs enactment of a national data breach notification law and what the measure should cover. "More important than breach notification requirements are the efforts to prevent data breaches in the first place," said Roundtable Chief Executive Tim Pawlenty, the former Republican governor of Minnesota. "To that end, FSR and many others have focused on effective cyberthreat information sharing."
The Obama administration supports enactment of a federal breach notification law. In February, Atty. Gen. Eric Holder proposed such a measure (see Holder Calls for National Breach Law). "This would empower the American people to protect themselves if they are at risk of identity theft," Holder said in a Feb. 24 video message. "It would enable law enforcement to better investigate these crimes and to hold compromised entities accountable when they fail to keep sensitive information safe."
If Congress fails to enact a national data breach notification law, the administration might develop a set of voluntary best practices along the lines of the new cybersecurity framework (see A Breach Notification Framework?). "We can use our convening power, like we have with [the cybersecurity framework], to talk about how we want voluntary standards to be in this space," White House Cybersecurity Coordinator Michael Daniel, a special assistant to the president, said in a February interview with Information Security Media Group. "There is certain space for us to make some progress in there without necessarily getting all the way to legislation."