Federal agencies need better cyber incident response plans – GAO

By Erin Ayers on June 4, 2014

gaoFederal agencies need to do a better job of “effectively responding” to cyber incidents, according to a new report from the Government Accountability Office (GAO), which examined the responses of 24 “major” agencies to security breaches that occurred in 2012 and found lack of documentation and consistency.

“Based on a statistical sample of cyber incidents reported in fiscal year 2012, GAO projects that these agencies did not completely document actions taken in response to detected incidents in about 65 percent of cases (with 95 percent confidence that the estimate falls between 58 and 72 percent). For example, agencies identified the scope of an incident in the majority of cases, but frequently did not demonstrate that they had determined the impact of an incident,” the GAO stated in its report. “In addition, agencies did not consistently demonstrate how they had handled other key activities, such as whether preventive actions to prevent the reoccurrence of an incident were taken.”

The agencies are leaving themselves open to risk, the report indicated. The types of attacks federal agencies have already faced include data loss or theft, computer intrusions, and privacy breaches. For example, in July 2013, hackers stole the personally identifiable information of 104,000 individuals from the Department of Energy, including Social Security numbers, birth dates, locations, bank account numbers, and security questions and answers. In January 2013, a Romanian national was indicted for hosting a service that allowed criminals to distribute malware to computer worldwide, including National Aeronautics and Space Administration (NASA) computers. The attack caused “tens of millions of dollars in losses” to individuals, businesses and the government.

GAO said it undertook the study in response to increased cyber incidents against federal agencies in 2013. Data show that federal agencies reported 46,160 cyber incidents to US-CERT in 2013, up from 34,840 in 2012. The GAO explained that US-CERT, the federal information security incident center, is available to provide assistance to federal agencies, but it needs to be able to measure the effectiveness of its programs.

GAO evaluated the performance of six randomly selected agencies: the Departments of Energy, (DOE), Justice (DOJ), Housing and Urban Development (HUD), Transportation (DOT), Veterans Affairs (VA), and NASA.

Government-wide, agencies took appropriate action by determining and documenting the scope of cyber incidents in about 91 percent of the cases. However, the GAO also noted a case where an agency received notice from US-CERT of possible compromise, but didn’t properly “consider potential impact” of the incident. The report highlighted the need for agencies to address all aspects of breaches.

Government agencies have managed to “contain” and “eradicate” most incidents that occur, the report found.

“Specifically, our analysis shows that agencies had recorded actions to halt the spread of, or otherwise limit, the damage caused by an incident in about 75 percent of incidents government-wide,” said the GAO. “However, agencies did not demonstrate such actions for about 25 percent of incidents.”

Failure on this point can be something as simple as disabled a lost iPhone’s mobile service before sending a “kill” command to the device, which would delete all emails and other data in the phone memory before misuse.

Finally, the GAO found that federal agencies aren’t taking the right steps to prevent incidents from reoccurring, nor are they documenting the steps they do take well enough. In order to combat the increasing risk of cyber threats, GAO recommended that the Office of Management and Budget and the Department of Homeland Security provide more oversight and use existing programs, such as CyberStat, to emphasize and monitor the correct actions following an incident. CyberStat is a program offering in-depth reviews of cyber incident response plans to all federal agencies.

“Having policies, plans, and procedures in place to guide agencies in responding to a cyber incident is critically important to minimizing loss and destruction, mitigating the weaknesses that have been exploited, and restoring IT services,” said the GAO.

erin.ayers@zywave.com'

Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].