{ "version" : "https://jsonfeed.org/version/1", "content" : "news", "type" : "single", "title" : "Federal Cybersecurity Challenges |Digital.gov", "description": "Federal Cybersecurity Challenges", "home_page_url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/","feed_url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/2016/10/25/federal-cybersecurity-challenges/index.json","item" : [ {"title" :"Federal Cybersecurity Challenges","summary" : "These days, when you turn on the news you almost always see another hack, leak, or breach putting sensitive information at risk. But we’ve been focusing on keeping federal agency information systems secure for a long time. For October’s Cybersecurity Awareness Month, the WatchBlog takes a look at federal cybersecurity challenges. What is the threat?","date" : "2016-10-25T10:00:09-04:00","date_modified" : "2025-01-27T19:42:55-05:00","authors" : {"gao-watchblog" : "GAO WatchBlog"},"topics" : { "content-strategy" : "Content strategy", "product-and-project-management" : "Product and project management", "security" : "Security" },"branch" : "bc-archive-content-3", "filename" :"2016-10-25-federal-cybersecurity-challenges.md", "filepath" :"news/2016/10/2016-10-25-federal-cybersecurity-challenges.md", "filepathURL" :"https://github.com/GSA/digitalgov.gov/blob/bc-archive-content-3/content/news/2016/10/2016-10-25-federal-cybersecurity-challenges.md", "editpathURL" :"https://github.com/GSA/digitalgov.gov/edit/bc-archive-content-3/content/news/2016/10/2016-10-25-federal-cybersecurity-challenges.md","slug" : "federal-cybersecurity-challenges","url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/2016/10/25/federal-cybersecurity-challenges/","content" :"\u003cp\u003eThese days, when you turn on the news you almost always see another hack, leak, or breach putting sensitive information at risk. But we’ve been focusing on \u003ca href=\"http://www.gao.gov/highrisk/ensuring_the_security_federal_government_information_systems/why_did_study?utm_source=blog\u0026utm_medium=social\u0026utm_campaign=watchblog\" target=\"_blank\"\u003ekeeping federal agency information systems secure\u003c/a\u003e for a long time. For October’s Cybersecurity Awareness Month, the WatchBlog takes a look at \u003ca href=\"http://gao.gov/key_issues/cybersecurity/issue_summary?utm_source=blog\u0026utm_medium=social\u0026utm_campaign=watchblog\" target=\"_blank\"\u003efederal cybersecurity challenges\u003c/a\u003e. \u003cspan id=\"more-4956\"\u003e\u003c/span\u003e \u003cdiv class=\"image\"\u003e\n \u003cimg\n src=\"https://s3.amazonaws.com/digitalgov/_legacy-img/2016/10/600-x-450-Security-concept-Gold-Closed-Padlock-on-digital-background-Maksim-Kabakou-iStock-Thinkstock-166739999.jpg\"\n alt=\"Security concept: Gold Closed Padlock on digital background.\"/\u003e\u003c/div\u003e\n\n\u003c/p\u003e\n\u003ch2 id=\"what-is-the-threat\"\u003eWhat is the threat?\u003c/h2\u003e\n\u003cp\u003eCybersecurity incidents can pose serious challenges to personal privacy and security as well as the economy and national security.\u003c/p\u003e\n\u003cp\u003eThe breach at the Office of Personnel Management that was first reported in July 2015 is a good example of both. At least 21.5 million individuals had their personal data leaked, leaving them vulnerable to identity theft, fraud, and security threats. As most of the affected individuals were also government employees—many of whom are entrusted with sensitive or classified information—the breach was also a matter of national security.\u003c/p\u003e\n\u003cp\u003eAnd the number of reported information security incidents at federal agencies is growing—up more than twelvefold from 2006 through 2015.\u003c/p\u003e\n\u003cp\u003e\u003cdiv class=\"image\"\u003e\n \u003cimg\n src=\"https://s3.amazonaws.com/digitalgov/_legacy-img/2016/10/600-x-400-Federal-Cybersecurity-Challenges%5c_gao-16-885t%5c_fig11.jpg\"\n alt=\"Figure 1: Incidents Reported by Federal Agencies, Fiscal Years 2006 through 2015.\"/\u003e\u003c/div\u003e\n\n\u003ca href=\"https://gaotest.files.wordpress.com/2016/10/gao-16-885t_fig11.jpg\" target=\"_blank\"\u003e\u003cbr /\u003e \u003c/a\u003e(\u003cem\u003eExcerpted from \u003ca href=\"http://gao.gov/products/GAO-16-885T?utm_source=blog\u0026utm_medium=social\u0026utm_campaign=watchblog\" target=\"_blank\"\u003eGAO-16-885T\u003c/a\u003e\u003c/em\u003e)\u003c/p\u003e\n\u003ch2 id=\"whos-behind-all-these-incidents\"\u003eWho’s behind all these incidents?\u003c/h2\u003e\n\u003cp\u003eThe threats to federal IT systems and networks come from a variety of sources and vary in terms of the types and capabilities of the actors, their willingness to act, and their motives. Here are some of the likely perpetrators:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eHackers/hacktivists\u003c/strong\u003e: people who break into networks for challenge, revenge, stalking, monetary gain, or to further political goals\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious insiders\u003c/strong\u003e: employees or contractors who can gain access to networks and systems through their positions in the organization\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eNations\u003c/strong\u003e: nations and states that sponsor or sanction cyber attacks for espionage or information warfare\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCriminals and organized crime\u003c/strong\u003e: criminal groups who attack systems for monetary gain\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTerrorists\u003c/strong\u003e: people who use cyber attacks to threaten national security, cause mass casualties, weaken the economy, and damage public confidence.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnknown malicious outsiders\u003c/strong\u003e: unknowns\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003ca href=\"http://gao.gov/products/GAO-16-501?utm_source=blog\u0026utm_medium=social\u0026utm_campaign=watchblog\" target=\"_blank\"\u003eOur survey of federal agencies\u003c/a\u003e found that the 18 agencies with “\u003ca href=\"https://blog.gao.gov/2016/06/24/securing-the-nations-most-sensitive-information-podcast/\" target=\"_blank\"\u003ehigh-impact systems\u003c/a\u003e” (i.e., those that hold sensitive information, the loss of which could cause catastrophic harm) identified cyber attacks from \u003cstrong\u003enations\u003c/strong\u003e as the most serious and most frequently-occurring threat.\u003c/p\u003e\n\u003cdiv class=\"image\"\u003e\n \u003cimg\n src=\"https://s3.amazonaws.com/digitalgov/_legacy-img/2016/10/600-x-450-Federal-Cybersecurity-Challenges%5c_gao-16-501%5c_fig3.jpg\"\n alt=\"Figure 3: Most Serious and Most Frequently Identified Adversarial Cyber Threat Sources/Agents, as Reported by 18 Agencies with High-Impact Systems.\"/\u003e\u003c/div\u003e\n\n\n\u003cp\u003e(\u003cem\u003eExcerpted from\u003c/em\u003e \u003ca href=\"http://www.gao.gov/products/GAO-16-501?utm_source=blog\u0026utm_medium=social\u0026utm_campaign=watchblog\" target=\"_blank\"\u003e\u003cem\u003eGAO-16-501\u003c/em\u003e\u003c/a\u003e)\u003c/p\u003e\n\u003ch2 id=\"why-cant-agencies-stop-the-attacks\"\u003eWhy can’t agencies stop the attacks?\u003c/h2\u003e\n\u003cp\u003eSeveral laws and policies establish a framework for how the federal government should protect its information systems. However, \u003ca href=\"http://gao.gov/products/GAO-16-885T?utm_source=blog\u0026utm_medium=social\u0026utm_campaign=watchblog\" target=\"_blank\"\u003ewe reported\u003c/a\u003e that agencies are not consistently implementing the framework, and additional actions are needed. For example, agencies should\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003epatch vulnerable systems and replace unsupported software\u003c/li\u003e\n\u003cli\u003ecomprehensively test security on a regular basis\u003c/li\u003e\n\u003cli\u003estrengthen oversight of IT contractors\u003c/li\u003e\n\u003cli\u003ebetter identify cyber threats\u003c/li\u003e\n\u003cli\u003eimprove their responses to cyber incidents and data breaches, and\u003c/li\u003e\n\u003cli\u003ebetter recruit and retain a qualified cybersecurity workforce and improve workforce planning activities at agencies.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eSo why isn’t this happening? The 24 agency Chief Information Security Officers we surveyed frequently cited these hurdles to overseeing information security activities:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003ecompeting priorities between agency operations and information security\u003c/li\u003e\n\u003cli\u003edifficulties coordinating with other offices and component organizations\u003c/li\u003e\n\u003cli\u003elack of security-related information from internal offices and IT contractors\u003c/li\u003e\n\u003cli\u003eIT contractors and other staff not directly under a chief’s control, and\u003c/li\u003e\n\u003cli\u003ethe position of the CISO in the agency’s hierarchy.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eOver the past several years, we have made about 2,500 recommendations aimed at strengthening agencies’ information security programs and controls. It will take coordinated effort across the government, with strong strategic direction from the White House and effective oversight, to make sure that federal agencies are taking all the necessary steps to protect our nation’s systems and information.\u003cem\u003eQuestions on the content of this post? Contact \u003ca href=\"mailto:wilshuseng@gao.gov\"\u003eGreg Wilshusen\u003c/a\u003e.\u003c/em\u003e\n\u003cem\u003eThis post was originally published on GAO’s \u003ca href=\"https://blog.gao.gov/\"\u003eWatchBlog\u003c/a\u003e.\u003c/em\u003e \u003cem\u003eEditor’s note: Read more DigitalGov articles on \u003ca href=\"/preview/gsa/digitalgov.gov/bc-archive-content-3/topics/security/\"\u003esecurity\u003c/a\u003e and \u003ca href=\"/preview/gsa/digitalgov.gov/bc-archive-content-3/topics/privacy/\"\u003eprivacy\u003c/a\u003e. For more information on National Cyber Security Awareness Month, visit the \u003ca href=\"https://www.dhs.gov/national-cyber-security-awareness-month\"\u003eDepartment of Homeland Security\u003c/a\u003e (DHS), \u003ca href=\"https://www.us-cert.gov/ncas/current-activity/2016/10/25/Week-Four-National-Cyber-Security-Awareness-Month\"\u003eU.S Computer Emergency Readiness Team\u003c/a\u003e (US-CERT), and the \u003ca href=\"https://www.fbi.gov/news/stories/national-cyber-security-awareness-month-2016\"\u003eFederal Bureau of Investigation\u003c/a\u003e (FBI) websites.\u003c/em\u003e\u003c/p\u003e\n"} ] }