What would happen if patients with implanted, wireless-controlled, medical devices suddenly learned the technology had been hacked?
And who’s really watching out for consumer privacy as location information from their mobile devices is getting swept by up a growing number of companies?
These and other questions are on the 2012 agenda for investigation by the nation’s leading federal watchdog, the Government Accountability Office, said Gregory Wilshusen, director, information security issues, for GAO.
While GAO investigators work largely at the behest of Congressional lawmakers to determine if federal agencies are complying with federal mandates, concerns about the rapidly evolving IT security landscape has captured the attention of senators and representatives alike.
The rate of security penetration incidents on federal information networks has grown 650% in the four years.”
For Wilshusen and his group of auditors and investigators, “There are always more issues to investigate than we can get to,” he said, following a presentation at the Government Technology Research Alliance.
“We provide a unique perspective,” he said, in that “the scope of our work can be government wide, looking at emerging trends, emerging threats, and emerging policies. And our work can also focus on an individual agency and how they’re protecting their systems, and what controls they’re using.”
GAO’s effort to examine IT security issues has grown in large measure because of the exponential growth of security incidents themselves.
The rate of security penetration incidents on federal information networks has grown 650% in the four years from fiscal year 2006 through 2010, the latest for which full data are available, Wilshusen said.
In actual terms, the number of incidents has risen from 5,500 a year to more than 41,000, although that’s in part due to the fact that agencies are reporting incidents more consistently than in the past, he said.
Nevertheless, the types of incidents reflect the increasing complexity of responding to security breaches as well as the changing nature of them, he said.
Last year, he said, 30% of the incidents were classified as efforts to place malicious code on federal networks.
Some incidents are considered more benign, yet important to report. For instance, 19% of the incidents were classified as improper usage; 14% were acts of unauthorized access; and 11% were outsiders trying to scan networks or simply tried to access networks.
Wilshusen, however, said fully 26% of last year’s incidents are still under investigation. And he said that at least 1% of attempts were designed to shut down government IT systems through denial of service attacks.
Another areas of concern for GAO is the extent to which agencies “continue to report information security weaknesses” regarding their financial systems. The risk, he said, is that the financial records used to manage substantial amounts of federal dollars could be compromised.
Wilshusen said at the moment, only five of 24 major federal agencies have satisfied GAO auditors that their financial recording keeping systems have “no significant deficiencies;” 11 agencies were found to have significant security deficiencies and eight had deficiencies such that the systems were deemed to have material weaknesses-that is the accuracy or reliability of the information could come under question.
These and other concerns are driving GAO’s investigation plans heading into fiscal 2012, which started 2012. And while budgets and priorities remain somewhat up in the area, as federal budgets and Congressional priorities continue to shift, Wilshusen said GAO was planning to look into the following areas:
FISMA (Federal Information Security Management Act) – GAO expects to look into the ability of the Environmental Protection Agency and the Census Bureau to protect the confidentiality of their information.
Emerging Issues – GAO plans to explore several major topics, including:
- IT supply chain concerns, looking at risk management controls on technologies produced overseas and embedded in equipment used by the Departments of Defense, Justice, Energy, and Homeland Security.
- Implantable medical devices
- Cyber threats to the Defense Department industrial base which actually manages much of the networks over which DoD data is stored, carried and processed.
Privacy – GAO plans to look at controls on a number of major systems or practices including:
- Taxpayer privacy protections
- Electronic prescriptions
- Privacy of location-based information
- Looking at cyber threats to industrial base
Critical IT Systems and Infrastructure – GAO plans to examine:
- Federal role in data communication network security
- Consumer communication devices
- Security incident reporting
- Communications and information industry sector standards
GAO will also be looking into the consolidated financial statements of at least nine agencies, including the Federal Reserve, FDIC, and FHFA.
Wilshusen also highlighted a variety of reports conducted over the past year or more that provided detailed assessments of the government’s security progress on a several fronts including:
- Government identification cards, cyber security staffing (GAO 12-8);
- Guidance on addressing cloud computing security concerns (GAO-12-130T);
- Cross government security weaknesses (GAO-12-137);
- Efforts to improve security through continuous monitoring (GAO-11-149); and
- Social media adoption (GAO-11-605)
Wilshusen noted that GAO’s investigation into State Department efforts, for instance, to implement continuous monitoring, had resulted in showcasing one of the more successful applications it had found in the past year, he said.