How agencies can defend themselves against cyber attacks

Cybersecurity is a growing issue for the federal government, and cyber-based threats are evolving all the time.

The Government Accountability Office was asked to examine the issue so that federal agencies could better combat attacks and recently released its report.

Greg Wilshusen is GAO's Director of Information Technology Security Issues and said there are many types of attacks, which is why it is becoming more difficult to fight them.

"Certainly with the unintentional attacks -- those can occur usually because of the inattentive actions or the untrained employees. They can also occur through maintenance procedures, for example, if a system administrator is installing a new application he or she may have to disengage certain security controls in order to install that application and then forget to re-engage those controls."

Thus, the unintentional attacker, according to the report, is one that doesn't mean to harm a computer or system, but leaves open a backdoor or an opening for someone malicious to enter.

There are also intentional attackers, of course, such as foreign governments who wish to do harm or criminals.

The report also discusses how people move around once they're in.

"In the incidents that have been reported by federal agencies, in many instances the attacker will download malicious software on the devices and that can cause some problems and disruptions of service for agencies. Also, there have been instances where attackers have been exfiltrating large amounts of information to points unknown. That's quite troubling because that information could be quite valuable and could cause some problems for the agencies."

It is, in fact, a perfect storm. There are an increased number of attacks and there are more types of attacks, which means working in cybersecurity is extremely challenging.

"Over the last several years we have reported numerous vulnerabilities in federal systems that we have examined, making hundreds of recommendations to better strengthen the security over their systems. They generally are taking steps to improve the security by implementing the recommendations and the federal government has also initiated other [programs], such as the comprehensive national cybersecurity initiative . . . as well as other ones like EINSTEIN."

One of the biggest challenges, however, is making sure there are controls in place to affray attacks, and one of the biggest has to do with behaviors.

"[Agencies need to] ensure that their employees and their contractors who have access to their systems are adequately trained in their roles and responsibilities with regard to protecting systems."

The report said that agencies need to regularly test and evaluate the effectiveness of their cybersecurity controls to ensure they are designed and operating properly.

Wilshusen said the GAO does not think this is the only way to fix the problem, but it is a big part of fighting cyber attacks.