Citing weaknesses in security controls at 24 major agencies, a new report by the U.S. Government Accountability Office (GAO) charts the stellar rise in incidents, and tries to highlight what went wrong. Just today my colleague Stephen Cobb also posted a government-related incident in the health care sector. The timeframe of the study, starting in 2006, describes a more asymptotic curve rather than linear, suggesting the trend is accelerating. During the same period there has been considerable effort by various governmental agencies at migrating data online for accessibility, especially between agencies. This data migration also paves the way for mishaps, potentially exposing sensitive information, with examples being trotted out in the recent headlines, and causing widespread concern.
"Agencies have not fully implemented their information security programs," Gregory Wilshusen, GAO director of information security issues, writes in the 49-page report. "As a result, they have limited assurance that controls are in place and operating as intended to protect their information resources, thereby leaving them vulnerable to attack or compromise."
The incidents are categorized in the report, with Malicious code coming out on top at 30%, followed by Investigation at 26%, Improper usage at 18%, Unauthorized access at 14%, Scans/probes/attempted access at 11%, and Denial of service at 1%. It is interesting DoS attacks have been so minimal. It seems malicious actors are far more interested in data gathering than shutting down a service. We don’t see much data in the report about Advanced Persistent Threats (APT), though those are really a combination of attacks in succession with a goal of eventual exfiltration of data.
In a statement that accompanied the report, Sen. Thomas Carper, who chairs a Senate subcommittee on government IT security said, "these findings are all the more troubling given that GAO has been telling us for some time that these are areas of vulnerability and must be addressed, yet we still haven't made enough progress in shoring up these obvious weaknesses."
The GAO is making recommendations to various agencies on how to shore up defenses, and apparently the agencies will be rolling out security measures to counter such incidents now and in the future. Will it be enough to gain/re-gain the trust of citizens who rely on the services? An old anecdote regarding food at restaurants may apply here: when a person has a good meal they tell 2 people, when they have a bad meal they tell 10. Bad news seems to last much longer and spread wider and faster than good news, so the agencies will have their work cut out for them, and will have be secure for a long period of time to shore up trust among users.