According to a GAO report out last week, over the last three years, the number of reported incidents in which sensitive government information and information systems has been put at risk has skyrocketed. In FY2005 3,634 incidents were reported. By FY2007, that number was 13,029 incidents - about a 259 percent increase.
The need for effective information security policies and practices is further illustrated by the number of security incidents experienced by federal agencies that put sensitive information at risk. Personally identifiable information about millions of Americans has been lost, stolen, or improperly disclosed, thereby potentially exposing those individuals to loss of privacy, identity theft, and financial crimes. Reported attacks and unintentional incidents involving critical infrastructure systems demonstrate that a serious attack could be devastating. Agencies have experienced a wide range of incidents involving data loss or theft, computer intrusions, and privacy breaches, underscoring the need for improved security practices.
Examples of the problem
These incidents illustrate that a broad array of federal information and critical infrastructures are at risk.
● The Department of Veterans Affairs (VA) announced that computer equipment containing personally identifiable information on approximately 26.5 million veterans and active duty members of the military was stolen from the home of a VA employee. Until the equipment was recovered, veterans did not know whether their information was likely to be misused. VA sent notices to the affected individuals that explained the breach and offered advice concerning steps to reduce the risk of identity theft. The equipment was eventually recovered, and forensic analysts concluded that it was unlikely that the personal information contained therein was compromised.
● The Transportation Security Administration (TSA) announced a data security incident involving approximately 100,000 archived employment records of individuals employed by the agency from January 2002 until August 2005. An external hard drive containing personnel data, such as Social Security number, date of birth, payroll information, and bank account and routing information, was discovered missing from a controlled area at the TSA Headquarters Office of Human Capital.
● A contractor for the Centers for Medicare and Medicaid Services reported the theft of one of its employee’s laptop computer from his office. The computer contained personal information including names, telephone numbers, medical record numbers, and dates of birth of 49,572 Medicare beneficiaries.
● The Census Bureau reported 672 missing laptops, of which 246 contained some degree of personal data. Of the missing laptops containing personal information, almost half (104) were stolen, often from employees’ vehicles, and another 113 were not returned by former employees. The Commerce Department reported that employees had not been held accountable for not returning their laptops.
● The Department of State experienced a breach on its unclassified network, which daily processes about 750,000 e-mails and instant messages from more than 40,000 employees and contractors at 100 domestic and 260 overseas locations. The breach involved an e-mail containing what was thought to be an innocuous attachment. However, the e-mail contained code to exploit vulnerabilities in a well-known application for which no security patch existed. Because the vendor was unable to expedite testing and deploy a new patch, the department developed its own temporary fix to protect systems from being further exploited. In addition, the department sanitized the infected computers and servers, rebuilt them, changed all passwords, installed critical patches, and updated their anti-virus software.
● In August 2006, two circulation pumps at Unit 3 of the Tennessee Valley Authority’s Browns Ferry nuclear power plant failed, forcing the unit to be shut down manually. The failure of the pumps was traced to excessive traffic on the control system network, possibly caused by the failure of another control system device.
● Officials at the Department of Commerce’s Bureau of Industry and Security discovered a security breach in July 2006. In investigating this incident, officials were able to review firewall logs for an 8-month period prior to the initial detection of the incident, but were unable to clearly define the amount of time that perpetrators were inside its computers, or find any evidence to show that data was lost as a result.
● The Nuclear Regulatory Commission confirmed that in January 2003, the Microsoft SQL Server worm known as “Slammer” infected a private computer network at the idled Davis-Besse nuclear power plant in Oak Harbor, Ohio, disabling a safety monitoring system for nearly 5 hours. In addition, the plant’s process computer failed, and it took about 6 hours for it to become available again.
Information insecurity is a breach of the public trust
Information security is especially important for federal agencies, where the public’s trust is essential and poor information security can have devastating consequences. Since 1997, GAO has identified information security as a governmentwide high-risk issue in each of its biennial reports to the Congress. Concerned by reports of significant weaknesses in federal computer systems, Congress passed the Federal Information Security Management Act (FISMA) of 2002, which permanently authorized and strengthened information security program, evaluation, and annual reporting requirements for federal agencies.
Causes of the problems
The report includes details as to the causes of the problems. Here is a summary of GAO's findings.
Despite reported progress, major federal agencies continue to experience significant information security control deficiencies.
* Most agencies did not implement controls to sufficiently prevent, limit, or detect access to computer networks, systems, or information.
* In addition, agencies did not always manage the configuration of network devices to prevent unauthorized access and ensure system integrity, patch key servers and workstations in a timely manner, assign duties to different individuals or groups so that one individual did not control all aspects of a process or transaction, and maintain complete continuity of operations plans for key information systems.
* An underlying cause for these weaknesses is that agencies have not fully or effectively implemented agencywide information security programs.
As a result, federal systems and information are at increased risk of unauthorized access to and disclosure, modification, or destruction of sensitive information, as well as inadvertent or deliberate disruption of system operations and services.
The Failure of Agency Inspectors General
The report finds that rather than being part of the solution, agency Inspectors General are part of the problem.
IG FISMA evaluations lacked a common approach and that the scope and methodology of the evaluations varied across agencies. For example:
● IGs stated that they were unable to conduct evaluations of their respective agency’s inventory because the information provided to them by the agency at that time was insufficient (i.e. incomplete or unavailable).
● IGs reported interviewing officials and reviewing agency documentation, while others indicated conducting tests of implementation plans (e.g. security plans).
● IGs indicated in the scope and methodology sections of their reports that their reviews were focused on selected components, whereas others did not make any reference to the breadth of their review.
● Reports were solely comprised of a summary of relevant information security audits conducted during the fiscal year, while others included additional evaluation that addressed specific FISMA-required elements, such as risk assessments and remedial actions.
● The percentage of systems reviewed was varied. Twenty-two of 24 IGs tested the information security program effectiveness on a subset of systems; two IGs did not review any systems.
● One IG noted that the agency’s inventory was missing certain web applications and concluded that the agency’s inventory was only 0-50 percent complete, although the report also noted that, due to time constraints, the IG had been unable to determine whether other items were missing.
● Two IGs indicated basing a portion of their template submission solely on information provided to them by the agency, without conducting further investigation.
As we previously reported, the lack of a common methodology, or framework, had culminated in disparities in audit scope, methodology, and content of the IGs’ annual independent
I have not included it here, but the report also provides a list of changes that can enhance the security of our information and information systems.
The report is Information Security: Although Progress Reported, Federal Agencies Need to Resolve Significant Deficiencies GAO-08-496T, February 14, 2008.
A second information report released last week
Information Technology: VA Has Taken Important Steps to Centralize Control of Its Resources, but Effectiveness Depends on Additional Planned Actions GAO-08-449T, February 13, 2008
Briefly, here is why GAO did this investigation:
The use of information technology (IT) is crucial to the Department of Veterans Affairs’ (VA) mission to promote the health, welfare, and dignity of all veterans in recognition of their service to the nation. In this regard, the department’s fiscal year 2009 budget proposal includes about $2.4 billion to support IT development, operations, and maintenance. VA has, however, experienced challenges in managing its IT projects and initiatives, including cost overruns, schedule slippages, and performance problems. In an effort to confront these challenges, the department is undertaking a realignment to centralize its IT management structure.
Comments
Add Comment