Government Accountability Offices Finds Government Still Mostly Terrible When It Comes To Cybersecurity
from the can't-even-secure-a-filing-cabinet,-apparently dept
The government has done a spectacularly terrible job at protecting sensitive personal information over the past couple of years. Since 2013, the FDA, US Postal Service, Dept. of Veterans Affairs, the IRS and the Office of Personnel Management have all given up personal information. So, it's no surprise the Government Accountability Office's latest report on information security contains little in the way of properly-secured information.
It opens with this depressing graph, showing just how many agencies flunked its information security controls assessment. Keep in mind that it only surveyed 24 agencies.
But what's most concerning about the report (which is full of concerning conclusions) is that, in an era of cyber-everything, the most common "security incidents" have nothing to do with phishing, security holes or any other cyber-related threat. They have to do with people and the mishandling of dead tree byproducts.
Non-cyber incidents are defined by the GAO as:
...a report of PII [personally-identifiable information] spillage or possible mishandling of PII that involves hard copies or printed material as opposed to digital records.The GAO reports that security incidents have skyrocketed over the past eight years, from 5,500 in 2006 to nearly 70,000 last year.
It also notes that incidents involving personally-identifiable information have increased steadily as well.
[T]he number of information security incidents involving PII reported by federal agencies has more than doubled in recent years, from 10,481 in 2009 to 27,624 in 2014.It all adds up to something fairly disturbing. Not only are government agencies increasingly under attack from outside forces, but their internal handling of hard-copy PII is getting worse as well -- even if the percentage of non-cyber incidents has declined over the past five years.
And despite the government's increased focus on all things cyber, the first chart makes it clear there has been almost no improvement in information security controls since 2013.
It also appears as though there's only one agency taking the GAO's past recommendations seriously: the Department of Defense.
OMB established a fiscal year 2014 target of 75 percent implementation for strong authentication. In its report on fiscal year 2014 FISMA implementation, OMB indicated that the 24 federal agencies covered by the CFO Act had achieved a combined 72 percent implementation of these requirements, but this number dropped to only 41 percent implementation for the 23 civilian agencies when excluding DOD.Obviously, overhauling security controls in a large number of agencies is an enormous undertaking. But this low level of implementation is both frightening and pathetic. The government demands large amounts of personal information from citizens, as well as from its employees and job applicants. There's no opting out. Then it takes this information and provides only the most perfunctory of protections. Government agencies clearly can't be trusted with securing this information, but there's no option other than to submit and hope for the best. It's even more disheartening when you realize that some of these directives that still haven't been fully complied with have been in place since 2002.
The government asks for too much and provides too little in return. Multiple agencies want to be the "ground force" in the cyberwar. But until the homefront is secured, it seems unwise to deploy elsewhere.