Cyber Insecure

1. Department of Agriculture
2. Department of Commerce
3. Department of Defense
4. Department of Education
5. Department of Energy
6. Department of Health and Human Services
7. Department of Homeland Security
8. Department of Housing and Urban Development
9. Department of the Interior
10. Department of Justice
11. Department of Labor
12. Department of State
13. Department of Transportation
14. Department of the Treasury
15. Department of Veterans Affairs
16. The Environmental Protection Agency
17. General Services Administration
18. National Aeronautics and Space Administration
19. National Science Foundation
20. Nuclear Regulatory Commission
21. Office of Personnel Management
22. Small Business Administration
23. Social Security Administration
24. U.S. Agency for International Development

What is this list you ask? All of the branches of the U.S. government?

No. Just those federal agencies who continue to report deficiencies in their information security.

In their 2008 performance and accountability reports, 20 of the 24 above named agencies noted that inadequate information system controls were either a material weakness or a significant deficiency.

In addition, 23 of the 24 agencies did not have adequate controls in place to ensure that only authorized individuals could access or manipulate data on their systems and networks.

This report shows that U.S.-based networks are leading the way in cyber attacks, followed closely by The People's Republic of China. Image by xo.com.

Making a typical understatement in March, the Government Accountability Office reported that "the present cyber security strategy has not been fully effective in mitigating the threat."

Over the past 3 years the number of incidents reported by federal agencies has increased dramatically -- tripling from 5,503 incidents reported in fiscal year 2006 to 16,843 incidents in fiscal year 2008.

GhostNet: A Malware-Based Cyber-Espionage Network

So, what does Gregory C. Wilshusen, Director, Information Security Issues recommend as a fix?

The list of improvements includes:

• developing a national strategy that clearly articulates strategic objectives, goals, and priorities
• establishing White House leadership [emphasis mine]
  
• publicizing and raising awareness about the seriousness of the cyber security problem
• focusing more actions on prioritizing assets, assessing vulnerabilities, and reducing vulnerabilities than on developing additional plans
• bolstering public/private partnerships through an improved value proposition and use of incentives [i.e. using hackers]
• focusing greater attention on addressing the global aspects of cyberspace
• placing greater emphasis on cyber security research and development, including consideration of how to better coordinate government and private sector efforts
• increasing the cadre of cyber security professionals

Until these improvements are considered," Mr. Wilshusen concludes, "our nation’s federal and private sector infrastructure systems remain at risk."

Source: Federal Information Security Issues (PDF, 7 pages)

Further reading:

WSJ: Electricity Grid in U.S. Penetrated By Spies (who not only breached the electrical grid’s ramparts but also left behind software that could allow them to cripple the system.)

America's enemies have targeted its cyber vulnerabilities

The Launching of U.S. Cyber Command (CYBERCOM)

Bill Allows Obama Power to Shut Down Internet