Cybersecurity: Continued Federal Efforts Are Needed to Protect Critical Systems and Information


Testimony Before the Subcommittee on Technology and Innovation, Committee on Science and Technology, House of Representatives

  • Government Accountability Office
  • Statement of Gregory C. Wilshusen, Director, Information Security Issues
  • 24 pages
  • Public
  • June 25, 2009

Since 2005, GAO has reported that DHS has yet to comprehensively satisfy its key cybersecurity responsibilities, including those related to establishing effective partnerships with the private sector. Shortcomings exist in key areas that are essential for DHS to address in order to fully implement its cybersecurity responsibilities (see table). DHS has since developed and implemented certain capabilities, but still has not fully satisfied aspects of these responsibilities and needs to take further action to enhance the public/private partnerships needed to adequately protect cyber critical infrastructure. GAO has also previously reported on significant security weaknesses in systems supporting two of the department’s programs, one that tracks foreign nationals entering and exiting the United States, and one for matching airline passenger information against terrorist watch-list records. DHS has corrected information security weaknesses for systems supporting the terrorist watch-list, but needs to take additional actions to mitigate vulnerabilities associated with systems tracking foreign nationals.

Key Cybersecurity Areas Reviewed by GAO
1. Bolstering cyber analysis and warning capabilities
2. Improving cybersecurity of infrastructure control systems
3. Strengthening DHS’s ability to help recover from Internet disruptions
4. Reducing organizational inefficiencies
5. Completing actions identified during cyber exercises
6. Developing sector-specific plans that fully address all of the cyber-related criteria
7. Securing internal information systems

NIST plays a key role in providing important information security standards and guidance. Pursuant to its responsibilities under the Federal Information Security Management Act (FISMA), NIST has developed standards specifying minimum security requirements for federal information and information systems; and provided corresponding guidance that details the controls necessary for securing those systems. It has also been working with both public and private sector entities to enhance information security requirements. The resulting guidance and tools provided by NIST serve as important resources for federal agencies that can be applied to information security programs.

As GAO recently testified in May, opportunities exist to improve the metrics used to assess agency information security programs. According to the performance metrics established by the Office of Management and Budget (OMB), agencies reported increased compliance in implementing key information security control activities. However, GAO and agency inspectors general continue to report significant weaknesses in controls. This dichotomy exists in part because the OMB-defined metrics generally do not measure how well controls are implemented. As a result, reported metrics may provide an incomplete picture of an agency’s information security program.

Virtually all federal operations are supported by computer systems and electronic data, and agencies would find it difficult, if not impossible, to carry out their missions, deliver services to the public, and account for their resources without these cyber assets. Information security is thus especially important for federal agencies to ensure the confidentiality, integrity, and availability of their systems and data. Conversely, ineffective information security controls can result in significant risk to a broad array of government operations and assets, as the following examples illustrate:

• Computer resources could be used for unauthorized purposes or to launch attacks on other computer systems.
• Sensitive information, such as personally identifiable information, intellectual property, and proprietary business information could be inappropriately disclosed, browsed, or copied for purposes of identity theft, espionage, or other types of crime.
• Critical operations, such as those supporting critical infrastructure, national defense, and emergency services, could be disrupted.
• Data could be added, modified, or deleted for purposes of fraud, subterfuge, or disruption.

Government officials are increasingly concerned about attacks from individuals and groups with malicious intent, such as criminals, terrorists, and adversarial foreign nations. For example, in February 2009, the Director of National Intelligence testified that foreign nations and criminals have targeted government and private sector networks to gain a competitive advantage and potentially disrupt or destroy them, and that terrorist groups have expressed a desire to use cyber attacks as a means to target the United States. 2 The growing connectivity between information systems, the Internet, and other infrastructures creates opportunities for attackers to disrupt telecommunications, electrical power, and other critical infrastructures. As government, private sector, and personal activities continue to move to networked operations, digital systems add ever more capabilities, wireless systems become more ubiquitous, and the design, manufacture, and service of information technology have moved overseas, the threat will continue to grow.

DHS Has Yet to Fully Satisfy Its Cybersecurity Responsibilities

We have reported since 2005 that DHS has yet to comprehensively satisfy its key responsibilities for protecting computer-reliant critical infrastructures. Our reports included about 90 recommendations that we summarized into key areas, including those listed in table 1, that are essential for DHS to address in order to fully implement its responsibilities. DHS has since developed and implemented certain capabilities to satisfy aspects of its responsibilities, but the department still has not fully implemented our recommendations, and thus further action needs to be taken to address these areas.

In July 2008, we identified11 that cyber analysis and warning capabilities included (1) monitoring network activity to detect anomalies, (2) analyzing information and investigating anomalies to determine whether they are threats, (3) warning appropriate officials with timely and actionable threat and mitigation information, and (4) responding to the threat. These four capabilities are comprised of 15 key attributes, including establishing a baseline understanding of the nation’s critical network assets and integrating analysis work into predictive analyses of broader implications or potential future attacks.

We concluded that while DHS’s United States Computer Emergency Readiness Team (US-CERT) demonstrated aspects of each of the key attributes, it did not fully incorporate all of them. For example, as part of its monitoring, US-CERT obtained information from numerous external information sources; however, it had not established a baseline of the nation’s critical network assets and operations. In addition, while it investigated whether identified anomalies constituted actual cyber threats or attacks as part of its analysis, it did not integrate its work into predictive analyses of broader implications or potential future attacks, nor did it have the analytical or technical resources to analyze multiple, simultaneous cyber incidents. The organization also provided warnings by developing and distributing a wide array of attack and other notifications; however, these notifications were not consistently actionable or timely— i.e., providing the right information to the right persons or groups as early as possible to give them time to take appropriate action. Further, while the team responded to a limited number of affected entities in its efforts to contain and mitigate an attack, recover from damages, and remediate vulnerabilities, it did not possess the resources to handle multiple events across the nation.

We also concluded that without fully implementing the key attributes, US-CERT did not have the full complement of cyber analysis and warning capabilities essential to effectively perform its national mission. As a result, we made 10 recommendations to the department to address shortfalls associated with the 15 attributes in order to fully establish a national cyber analysis and warning capability. DHS concurred and agreed to implement 9 of our 10 recommendations.

Besides weaknesses relating to external cybersecurity responsibilities, DHS had not secured its own information systems. In July 2007, we reported21 that DHS systems supporting the US-VISIT program22 were riddled with significant information security control weaknesses that place sensitive information—including personally identifiable information—at increased risk of unauthorized and possibly undetected disclosure and modification, misuse, and destruction, and place program operations at increased risk of disruption. Weaknesses existed in all control areas and computing device types reviewed. For example, DHS had not implemented controls to effectively prevent, limit, and detect access to computer networks, systems, and information. To illustrate, it had not (1) adequately identified and authenticated users in systems supporting US-VISIT, (2) sufficiently limited access to US-VISIT information and information systems, and (3) ensured that controls adequately protected external and internal network boundaries. In addition, it had not always ensured that responsibilities for systems development and system production had been sufficiently segregated, and had not consistently maintained secure configurations on the application servers and workstations at a key data center and ports of entry. As a result, intruders, as well as government and contractor employees, could potentially bypass or disable computer access controls and undertake a wide variety of inappropriate or malicious acts. These acts could include tampering with data; browsing sensitive information; using computer resources for inappropriate purposes, such as launching attacks on other organizations; and disrupting or disabling computer-supported operations.

Share this: