Cyber security and the federal government seem to be dominating security news lately. Part of that may be because it's National Cybersecurity Awareness Month, but it also may be because the federal government has some serious cyber security issues. This report from the Government Accountability Office (GAO) states that security incidents in 24 federal agencies increased more than 650 percent in the past 5 years.
That is a staggering number. According to InformationWeek, cyber attacks on the federal government jumped 39 percent in 2010.
I think it is about time the federal government gets serious about this, don't you? According to the GAO report:
The Cost of Cyber Crime
Cyber attacks continue to occur frequently and result in serious financial consequences for businesses and government institutions.
Weaknesses in information security policies and practices at 24 major federal agencies continue to place the confidentiality, integrity, and availability of sensitive information and information systems at risk. ... Each of the 24 agencies reviewed had weaknesses in information security controls. An underlying reason for these weaknesses is that agencies have not fully implemented their information security programs. As a result, they have limited assurance that controls are in place and operating as intended to protect their information resources, thereby leaving them vulnerable to attack or compromise.
While the White House's attempts to improve the cyber security landscape in federal government are a step in the right direction, you have to wonder if it is a hollow first step. The GAO report pointed out that it made hundreds of recommendations for fiscal years 2010 and 2011 for improvements to cyber security, but the incidents still persist - and appear to be increasing.
But I'm not going to put all the blame on the government. Cyber attacks are increasing across all types of organizations. Malicious threats and hacks are not unique to government entities; enterprise has had its share of problems over the past year. Look at any of the threat reports that come out annually or quarterly and you'll see a rise in attacks. A Bloomberg article said as much, quoting from the report:
Threats to systems supporting critical infrastructure and federal information systems are evolving and growing. Advanced persistent threats -- where an adversary that possesses sophisticated levels of expertise and significant resources can attack by using multiple means such as cyber, physical, or deception to achieve its objectives -- pose increasing risks.
It's now up to the agencies to comply with the GAO's recommendations, which they are not doing. According to InformationWeek:
The GAO also put some blame on the Office of Management and Budget for persistent cybersecurity incidents, saying that while they provided new cybersecurity metrics for agencies, they did not always provide performance target to measure improvements.
Let's hope the GAO report serves as a wake-up call.