New report finds federal agencies ill prepared for cyber attacks

GAO outlines growing number of disruptive threats

WASHINGTON, D.C. - Here’s a chilling number: 46,160. That’s the number of reported cyber incidents against federal agencies in 2013. Worse, that’s a 30 percent increase in the last two years.

All this was detailed in an important but little noticed report released recently by the Government Accountability Office.

Think the credit card information breach at Target was a big deal? This is a whole new ballgame: One company versus a governmentwide problem.

But it’s not only the increasing number of incidents that is cause for alarm. According to the report, cyber incidents against federal agencies are becoming more damaging and disruptive.

The GAO defines a cyber incident as a security breach of a computerized system and its information. In one case, hackers stole personally identifiable information — like Social Security numbers, birth dates, bank account numbers, etc. — of more than 100,000 individuals from the Department of Energy. The cost associated with fixing the breach could exceed $3.7 million.

The implications of this go beyond just government employees. National security information, public health data and the country’s economic well-being are only a small sample of what could be compromised every time a breach occurs.

According to Gregory Wilshusen, GAO’s Director for Information Security Issues and author of the report, 24 agencies were selected for review because “collectively, they compromise a substantial majority of the executive branch of the federal government in terms of budget, resources, and personnel; and likely have the greatest impact on the lives of Americans.”

Of the agencies reviewed in the report, six were randomly selected for a more in-depth analysis — the Departments of Energy, Justice, Housing and Urban Development, Transportation, Veterans Affairs and NASA.

The GAO review found that although those six agencies had developed policies, plans and procedures to guide their responses to an incident, they were not always comprehensive or consistent with federal requirements.

That means agencies often had not clearly laid out who takes charge when an incident happens; or how to determine how serious a breach is; or how effective they were in combating it.

This may sound like mundane office talk. But the big difference is that the issues at stake could include U.S. defense strategies and weapons capabilities against an outside attack. Also at risk: citizens’ personal data, such as your Social Security number.

In about 49 percent of incidents, GAO found that agencies could not establish that they had taken steps to prevent such incidents from happening again.

The GAO reports that most of the agencies agreed with the conclusions and recommendations. In a response to DecodeDC’s request for comment, NASA, the departments of Veterans Affairs and Transportation responded that they are actively working to meet GAO’s recommendations and improve cyber incident response policies. The other three agencies did not respond with a comment by the time of this article’s publication.

Print this article Back to Top

DecodeDC's Mission

DecodeDC's foremost aim is to be useful. That means being a reliable, honest and highly entertaining source of insight and explanation. It also means providing multimedia coverage of Washington's people, culture, policies and politics that is enlightening and enjoyable. Whether it's a podcast, a video, an interactive graphic, a short story or a long analysis, it will be based on this guiding principle: We are in DC but not OF DC.