GAO: Feds miss mark on security reporting

Information Security: Emerging Cybersecurity Issues Threaten Federal Information Systems

Federal agencies need more detailed instructions to handle and report computer security threats, such as phishing, spyware and hacking, government auditors said in a report released today.

Government Accountability Office auditors have found that most federal officials do not understand which computer security incidents they should report or how and to whom they should report them, even though such reporting is mandatory under the Federal Information Security Management Act.

As a result, the Homeland Security Department’s U.S. Computer Emergency Readiness Team, which handles incident reporting, is unable to coordinate and respond to cyberthreats that target multiple federal agencies.

To remedy the lack of accurate and comprehensive reporting, the auditors recommended that Office of Management and Budget officials increase their oversight of agencies’ efforts to detect, report and respond to emerging cybersecurity threats.

The report identifies the perpetrators of such threats as hackers, insiders, phishers, spammers and botnet operators. Botnet operators control computers infected with "bot" viruses, which the operators use in denial-of-service attacks against targeted Web sites.

The auditors also asked OMB officials, in coordination with DHS cybersecurity experts and the U.S. attorney general, to develop governmentwide guidelines on how to deal with such threats and how to report them to DHS and law enforcement agencies.

In their response to the report, OMB officials agreed to expand their FISMA reporting requirements to include agencies’ response to emerging threats. They also plan to issue a document this summer that will define computer incident terms and clarify the roles and responsibilities of federal agencies for reporting computer security incidents.

The additional guidelines are needed, the auditors said, because most agencies have not fully addressed the risks of new cybersecurity threats as part of their agencywide information security programs.