Government Accountability Offices Finds Government Still Mostly Terrible When It Comes To Cybersecurity

from the can't-even-secure-a-filing-cabinet,-apparently dept

The government has done a spectacularly terrible job at protecting sensitive personal information over the past couple of years. Since 2013, the FDA, US Postal Service, Dept. of Veterans Affairs, the IRS and the Office of Personnel Management have all given up personal information. So, it’s no surprise the Government Accountability Office’s latest report on information security contains little in the way of properly-secured information.

It opens with this depressing graph, showing just how many agencies flunked its information security controls assessment. Keep in mind that it only surveyed 24 agencies.

But what’s most concerning about the report (which is full of concerning conclusions) is that, in an era of cyber-everything, the most common “security incidents” have nothing to do with phishing, security holes or any other cyber-related threat. They have to do with people and the mishandling of dead tree byproducts.

Non-cyber incidents are defined by the GAO as:

…a report of PII [personally-identifiable information] spillage or possible mishandling of PII that involves hard copies or printed material as opposed to digital records.

The GAO reports that security incidents have skyrocketed over the past eight years, from 5,500 in 2006 to nearly 70,000 last year.

It also notes that incidents involving personally-identifiable information have increased steadily as well.

[T]he number of information security incidents involving PII reported by federal agencies has more than doubled in recent years, from 10,481 in 2009 to 27,624 in 2014.

It all adds up to something fairly disturbing. Not only are government agencies increasingly under attack from outside forces, but their internal handling of hard-copy PII is getting worse as well — even if the percentage of non-cyber incidents has declined over the past five years.

And despite the government’s increased focus on all things cyber, the first chart makes it clear there has been almost no improvement in information security controls since 2013.

It also appears as though there’s only one agency taking the GAO’s past recommendations seriously: the Department of Defense.

OMB established a fiscal year 2014 target of 75 percent implementation for strong authentication. In its report on fiscal year 2014 FISMA implementation, OMB indicated that the 24 federal agencies covered by the CFO Act had achieved a combined 72 percent implementation of these requirements, but this number dropped to only 41 percent implementation for the 23 civilian agencies when excluding DOD.

Obviously, overhauling security controls in a large number of agencies is an enormous undertaking. But this low level of implementation is both frightening and pathetic. The government demands large amounts of personal information from citizens, as well as from its employees and job applicants. There’s no opting out. Then it takes this information and provides only the most perfunctory of protections. Government agencies clearly can’t be trusted with securing this information, but there’s no option other than to submit and hope for the best. It’s even more disheartening when you realize that some of these directives that still haven’t been fully complied with have been in place since 2002.

The government asks for too much and provides too little in return. Multiple agencies want to be the “ground force” in the cyberwar. But until the homefront is secured, it seems unwise to deploy elsewhere.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Government Accountability Offices Finds Government Still Mostly Terrible When It Comes To Cybersecurity”

Subscribe: RSS Leave a comment
Anonymous Coward says:

If only the US government treated cybersecurity seriously and didn’t try to numb people to their requests by trying to push new surveillance bills with the label “cybersecurity” on them.

It’s like the boy who cried wolf. If they keep pushing stupid surveillance bills like CISA as “cybersecurity”, even though they’ll do nothing to improve cyberseurity and may even make things worse, by allowing incompetent government employees access to millions of people’s data, there will be a time when they’ll need a “real” cybersecurity bill to pass, and no one will want it anymore.

Bob elod says:

I believe the problem is the perception of the worth of the information and the consequences if it was lost, stolen,or tampered.
A lot of people (in government and outside it) consider military weapons and technology worth securing. If military data is comprised it could easily mean catastrophe by the loss of life from unintended targets like civilians, your own sides military personnel, or very expensive equipment and buildings. Since the DoD already has protections in place for classified data the same techniques, tools, and personnel can be applied more easily to its PII as well.

Now look at just PII. I am sure most if not all readers of TechDirt value their privacy and PII. But a lot of people (both in and outside government) don’t consider it as important to safeguard. The evidence can be found in the posts people make on social media, their complacency when accepting terms and conditions that collect data in exchange for some small piece of functionality in an app or to play a game. Government agencies being run by people are no different in the cavalier attitude towards PII.
It comes down to what people consider most important and nobody will die if PII is lost, stolen, or tampered. At least that is what people think until they are the victims of identity theft. I bet anyone who has been a victim would argue that they might as well be dead since their information was exploited. After being victimized the true value of PII suddenly comes into play. Until everyone sees how important safeguarding PII truely is don’t expect much to be done by government or people in general.

Personanongrata says:


Government agencies clearly can’t be trusted with securing this information, but there’s no option other than to submit and hope for the best.

There actually is an option it is called the word NO which can be the most powerful word a free person may articulate.

Does using NO in this instance come with certain personal risks and or potential sacrifices? Yes it does but sometimes human liberty comes before genuflection to power.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...