Federal officials have become increasingly concerned about the potential for cyber attacks in the wake of a range of incidents involving data loss or theft, computer intrusions, and privacy breaches, GAO has said, but federal systems still are not sufficiently protected to consistently thwart such threats.
GAO in report GAO-09-661T reviewed its own prior reports as well as reports from agency IG offices and other sources on threats that it characterized as posing "a potentially devastating impact to systems and the operations and critical infrastructures that they support."
Such threats can be unintentional and intentional, targeted or nontargeted, and can come from a variety of sources, such as foreign nations engaged in espionage and information warfare, criminals, hackers, virus writers, and disgruntled employees and contractors working within an organization, the report said. "Moreover, these groups and individuals have a variety of attack techniques at their disposal, and cyber exploitation activity has grown more sophisticated, more targeted, and more serious. As government, private sector, and personal activities continue to move to networked operations, as digital systems add ever more capabilities, as wireless systems become more ubiquitous, and as the design, manufacture, and service of information technology have moved overseas, the threat will continue to grow."
"Serious and widespread information security control deficiencies continue to place federal assets at risk of inadvertent or deliberate misuse, financial information at risk of unauthorized modification or destruction, sensitive information at risk of inappropriate disclosure, and critical operations at risk of disruption," the report said.
It said, for example, that most agencies have not implemented controls to sufficiently prevent, limit, or detect access to computer networks, systems, and information. Further, agencies do not always configure network devices and service properly, segregate incompatible duties, or ensure that continuity of operations plans contained all essential information.
GAO noted that the Comprehensive National Cybersecurity Initiative is intended to improve federal efforts to protect against intrusion attempts and anticipate future threats but said that until agencywide information security programs are "fully and effectively implemented, federal information and systems will remain vulnerable."
