GAO: 24 Agencies Still Struggle With IT Security WeaknessesHHS, NASA, OPM, IRS Among Agencies Criticized
Two dozen federal agencies continue to experience security weaknesses in five critical areas, which puts government systems and data at risk, according to a new watchdog agency report.
The Government Accountability Office says in its report new report, Federal Information Security: Weaknesses Continue to Indicate Need for Effective Implementation of Policies and Practices, that during fiscal 2016, the agencies continued to experience weaknesses in protecting their information and information systems due to ineffective implementation of information security policies and practices.
Most of the agencies that the GAO reviewed had weaknesses in five control areas, including access controls, configuration management controls, segregation of duties, contingency planning and agencywide security management, the report notes. The problems have been recurring issues for many of the agencies, the report adds.
Among the agencies that the GAO reviewed are the Department of Health and Human Services, the National Aeronautical and Space Administration, the Nuclear Regulatory Commission, the Office of Personnel Management, the Department of Veteran Affairs and the Internal Revenue Service.
"The emergence of increasingly sophisticated threats and continuous reporting of cyber incidents underscores the continuing and urgent need for effective information security," the GAO writes.
"These threats come from a variety of sources and vary in terms of the types and capabilities of the actors, their willingness to act and their motives. For example, advanced persistent threats - where adversaries possess sophisticated levels of expertise and significant resources to pursue their objectives - pose increasing risks," the report notes.
Yet evaluations by the GAO and agency inspectors determined that most agencies did not have effective information security programs, the report notes.
The watchdog agency adds that it did not make any new recommendations to address the issues because GAO and agency inspector generals "have made hundreds of recommendations to address these security control deficiencies, but many have not yet been fully implemented."
Until agencies correct longstanding control deficiencies and address the previous recommendations, "federal IT systems will remain at increased and unnecessary risk of attack or compromise. We continue to monitor the agencies' progress on those recommendations."
David Finn, who recently joined security consultancy CynergisTek as executive vice president of innovation, says despite the GAO findings, the security risk that always worries him "is the one we don't know about yet."
Finn says many organizations inside and outside the federal governments are failing at "doing the basic blocking and tackling" of data security.
Recent global malware and ransomware attacks significantly impacted the healthcare sector and other businesses, says Finn, a former healthcare CIO who was also a member of a task force that advised HHS on cybersecurity challenges. "These were not about brilliantly designed attacks. This was about basic patching," he says. "If we can't even take care of our equipment, I'm not sure we can really build a multilayered defense strategy."
Organizations that delay addressing weaknesses in their security controls are potentially putting critical systems and data in jeopardy, he says.
"If a doctor saw a patient with an acute disease, he wouldn't wait 20 years to start treating it," he says. "As a society, we've had wakeup call after wakeup call - from Target to Yahoo, to Equifax, and still no focus," he says.
'It Won't Happen to Us'
There are a number of common reasons why organizations inside and outside of government fail to mature and improve the effectiveness of their security programs, says Mark Dill, a partner and principal consultant at consultancy, tw-Security.
Those reasons include "a lack of personnel or specific talent levels; complacency - 'it will never happen to us'; a lack of focus on the leading threats; too many vulnerabilities to address; a large volume of devices to protect - some are legacy and difficult to secure; missing tools; budget constraints; immature processes; and trying to protect all assets equally - a 'boil the ocean' approach," he says. "The enemy is clearly finding exposed weaknesses - technical and human behavior -faster than they are being addressed."
Of the two dozen agencies that GAO reviewed, HHS reported the largest IT spending, $13 billion in fiscal 2016, with 3 percent - or about $373 million - used for IT security.
Only three agencies reported a smaller portion of their IT budgets being spent on IT security in fiscal 2016. The Department of Housing and Urban Development spent only 1 percent of its budget on IT security, while the departments of agriculture and transportation each reported that 2 percent of their respective IT budgets were used on IT security.
By contrast, the Department of Homeland Security reported an IT budget of $6.2 billion, but it spent about 21 percent of that budget, or nearly $1.3 billion, on IT security, according to the GAO report. That meant it ranked No. 1 on IT security spending among the agencies studied.
On average, the agencies spent about 8 percent of their IT budgets on security, the GAO reports.
The Department of Defense was excluded from the analysis because its fiscal 2016 IT spending data was not available, GAO notes.
But regardless of security spending, "most of the 24 agencies covered ... had weaknesses in each of the five major categories of information system controls," the report notes.
As for IT security budget trends in the private healthcare sector, "we have seen a steady increase in healthcare spending on security and compliance over the last two years - up to the 4 percent to 6 percent of IT budget," Dill says. "For some organizations that are 'catching up.' we are seeing spending is excess of 6 percent," notes Dill, former information security leader at the Cleveland Clinic.
The GAO spotlighted an August 2016 review of HHS' Food and Drug Administration.
The FDA "had a significant number of security control weaknesses that jeopardize the confidentiality, integrity, and availability of its information systems and industry and public health data," GAO writes.
"Specifically, FDA had not fully or consistently implemented access controls, which are intended to prevent, limit and detect unauthorized access to computing resources," GAO says. "FDA also had weaknesses in other controls, such as those intended to manage the configurations of security features on and control changes to hardware and software; plan for contingencies, including system disruptions and their recovery; and protect media such as tapes, disks, and hard drives to ensure information on them was 'sanitized' and could not be retrieved after the hardware was discarded."
GAO notes that it recommended the FDA take 166 specific actions to resolve weaknesses in information security controls. "The department concurred with our recommendations, has implemented 68 of them, and stated that it is working to address all the recommendations as quickly as possible. The department also stated that FDA has acquired third-party expertise to assist in these efforts to immediately address the recommendations."