From the U.S. Government Accountability Office, www.gao.gov

Transcript for: AskGAOLive Chat on Federal Information Security

Description: Online video chat with Greg Wilshusen, Director,
Information Technology

Related GAO Work: GAO-13-776: Federal Information Security: Mixed
Progress in Implementing Program Components; Improved Metrics Needed to
Measure Effectiveness

Released: September 2013

[ Background Music ]

[First Screen]
Ask GAO Live

[ Sarah Kaczmarek: ] Welcome everyone to Ask GAO Live, the Government
Accountability Office's live chat streaming program. Thank you so much
for taking the time to tune in and join us today. My name is Sarah
Kaczmarek. I'm in our Office of Public Affairs. I'm joined today by Greg
Wilshusen, a director in our Information Technology team. Thanks so much
for joining us today.

[ Greg Wilshusen: ] Thank you for having me, Sarah.

[ Sarah Kaczmarek: ] We're going to be talking today about federal
information security and GAO's recent work on that. Greg's team recently
led a report looking into this and that report you can find on our
website, gao.gov. You can look for it under Reports and Testimonies, by
looking for the report GAO-13-776. So, again, you can find it under
Reports and Testimonies, or you can search for it searching for
GAO-13-776. To send in your questions today, you can send them in via
e-mail, we've already gotten a few e-mails, already, the e-mail address
is askgaolive@gao.gov, so please do send in your questions and your
thoughts, and we'll do our best to get you a response today. Also, if
you're on social media, you can send in your questions on Twitter using
the hashtag #AskGAOLive, so we'll be keeping an eye out for your tweets
and your e-mails, and doing our best to get you a response today. So, to
get us started, Greg, could you give us a bit of an intro on yourself
and your work at GAO?

[ Greg Wilshusen: ] Sure. Thank you Sarah. I'm GAO's director for
information security issues, and in this capacity, I have the honor and
privilege of leading a group of IT analysts and specialists in reviewing
matters related to federal information security, privacy of personal
income--personal information, and critical infrastructure protection as
it relates to cyber matters. The scope of the work that we do can range
anywhere from examining issues related to information security and
emerging technologies across the entire federal enterprise, and also
drilling down and examining the security controls and effectiveness of
those controls over specific government systems and networks. Together
with the work that we do with my colleague, Dr. Naba
Barkakali--Barkakati, who is GAO's technologist, we provide a very
unique service that I, that I think gives us a very useful perspective
across information security, across the entire federal government.

[ Sarah Kaczmarek: ] Thanks Greg. And could you give us an overview of
our topic today, federal information security?

[ Greg Wilshusen: ] Sure. The Federal Information Security Management
Act of 2002 requires that GAO periodically report on the information
security practices and, and policies of federal agencies, and the
agencies' compliance with the provisions of the act. That particular act
provides an umbrella requirements for GA--for federal agencies to
implement appropriate security controls over their systems and networks.
And the report that we're discussing today is our report that we issued,
just as you mentioned earlier, last Thursday.

[ Sarah Kaczmarek: ] And, now, let me ask you, are all federal agencies
responsible for protecting their information security?

[ Greg Wilshusen: ] Absolutely, Sarah. Each federal agency has
requirements under FISMA to implement the appropriate security controls
that are commensurate with the risks that it faces in protecting the
informations and information systems that it operates in order to
conduct its business. The goal of these controls is to defend, or is to
protect, the confidentiality, integrity, and availability of the
information and information systems.

[ Sarah Kaczmarek: ] Thanks Greg. I'm going to turn now to a question we
got in on e-mail from Tula. Tula asks, is our critical infrastructure
also at risk from cyber threats, and if so, what's the federal
government doing about it?

[ Greg Wilshusen: ] That's a great question, Tula. Indeed, our critical
infrastructure is subject to the similar cyber security threats over the
operations of those infrastructures. And the critical infrastructures
are those assets and key resources that are so essential to our being
that their corruption or disruption could have an adverse effect on our
national security and economic prosperity. Critical infrastructures
include, for example, for those who might not know it, could be, for
example, our water distribution systems, our communications networks, as
well as our financial and banking industries. One of the things that's
very important to remember in this area is that most of the critical
infrastructure is, in fact, owned by the private sector. And so, even
though the federal government doesn't necessarily have direct ownership,
it does have a role in helping to assist private sector owners and
operators and protecting the cyber security of those critical
infrastructures.

[ Sarah Kaczmarek: ] Well, that's a great point about how this is not
only federal, but also private sector as well. So for people who are
working in the area of federal information security, what are some of
the key things that they need to know?

[ Greg Wilshusen: ] Well, with respect to federal information security,
individuals need to know what are the risks, what are the threats to
their systems and to their networks? And so, in order to do that, they
need to conduct a threat assessment, and then determine what appropriate
controls are needed to protect the confidentiality, integrity, and
availability, against those threats. And so, it is quite important for
our agencies to be up to date on those risks and to implement the
appropriate security controls to mitigate them to a manageable level.
One thing that's important to remember is we're not looking at and
agencies are not responsible for eliminating all risk, but rather to
manage it.

[ Sarah Kaczmarek: ] That's a really good point. And I'm going to go now
to our next question from Andy over e-mail. Andy asks, the report states
that information security incidents continue to rise, what's the cause
of this increase?

[ Greg Wilshusen: ] That's a good question, Andy. And, in fact, we have
a bar chart that shows the rise that we included in our report. [
Screen: Bar chart showing the number of incidents reported increased
from 2006 to 2012. ] As the bar chart shows, the number of incidents
that increased over the last 6 years, increased from about 5,500 to over
48,000 incidents. That's an increase of 782 percent over that period.
There are a number of reasons why this incident is being reported by
federal agencies, and I might say that these are the agenc--or the
incidents, that have been reported, it does not include incidents that
have not been reported by the agencies. But, the increase can be due, in
part, due to better reporting on the part of the agencies. As we
mentio--as the chart shows, starting in 2006 there was a significant
security incident at the Veteran's Administ--Department of Veteran's
Affair, which exposed the personally identifiable information of over 26
million veterans. Since that time, agencies have put an increased
emphasis on reporting incidents to U.S. CERT, as is required by federal
policy. It also can reflect better detection techniques on the part of
the federal agencies in identifying when incidents occur so they can
take the appropriate action and then to report them. But it also
indicates that there is still, and remains, a very active threat
environment in which agencies need to guard against and to protect
against. Finally, it also shows that agencies' practices and systems are
vulnerable to these types of incidents, and so it's really a combination
of factors that shows to this, or leads to this reported increase, of
security incidents.

[ Sarah Kaczmarek: ] Thanks Greg. And I'm going to go right to our next
question from Maimai over e-mail, because it really ties into this
concern. Maimai asks, if the federal government, with all of its
resources, has a difficult time protecting its computer systems, how can
I be expected to effectively protect my own computer system, and what
advice would you have for her?

[ Greg Wilshusen: ] That's a great question, Maimai, and perhaps one
that many of our viewers may have. Indeed, the same types of security
threats and cyber threats that afflict federal agencies can also affect
your, and afflict your use of the Internet and systems. And so it's
important that you, as an individual, take a number of key steps to help
minimize the risks that you face when using the Internet and your
computer systems. One, you should always use complex, detailed passwords
that would be difficult for an individual or someone to guess what it
is. Second, you should always keep your operating system versions, your
anti-software--or antivirus software, and patches up to date on your
computer systems. Hackers and others frequently exploit unpatched
software and old, outdated versions of software, because they typically
have a number of vulnerabilities that are well known. So it's important
to keep those current. And in doing that, you can often work with your
vendor in order to provide automatic updates to your system. In
addition, you should install personal firewalls. This too will give you
an added layer of security over your systems and your personal
information. In addition, you can also take steps to limit the amount of
personal information that you may have out, if you use, for example,
social media. Social media sites are often trolled by attackers wanting
to identify potential targets and victims and they can use the
information that you provide on there to their advantage. So these are
just a number of steps that you can take to help protect your own
information and your use of the, of your computer on the Internet.

[ Sarah Kaczmarek: ] Well let me ask you then, do individuals and
private companies face the same types of cyber threats that the federal
government faces?

[ Greg Wilshusen: ] Well, indeed. Many of the threats that the federal
government faces comes from a number of different sources, to include
foreign governments, national state entities, but also hackers and
insiders, as well as hacktivists, and certainly organized criminal
groups, and it's particularly those from the hackers and organized
criminal groups which may also target individuals and businesses, who
can also include corporate adversaries. You know, anyone who may seek to
gain either financially or through some other purpose, can potentially
target your system, and indeed, there are those that just will, hackers
that may go out and try to compromise your system so they can use, and
gain control of your system, so they can then use that, your system to
further their aims and, perhaps, for example, commit, perpetrate a
distributed denial of service of attack by having your system as part of
a, a botnet that they operate.

[ Sarah Kaczmarek: ] Thanks Greg. And before we go to our next question,
I do want to say that we have gotten a couple of e-mails about the audio
being a bit difficult to hear, thank you so much for those e-mails and
we're working to fix that, so please do stay with us as we try to
address that. And this is a good time for also a reminder, please do
continue to send in your questions and your comments. You can send them
in on e-mail to askgaolive@gao.gov. And, again, we're on Twitter looking
for your questions and comments with the hashtag #AskGAOLive. So going
back to our questions from the audience, we have a question from Helen
on e-mail who asks, what weaknesses were identified in federal systems,
and what areas were identified as having the greatest weaknesses?

[ Greg Wilshusen: ] Well, in our review, we identified that several key
controls had weaknesses, in fact, most of the federal agencies that we
looked at. We looked at about, at 24 major federal departments and
agencies, and, for example, at their access controls, we identified
weaknesses at 23 of the 24 agencies, had weaknesses in those types of
controls that are intended to limit, detect, and prevent unauthorized
access to their security, to their systems, and these types of controls
include, for example, those controls which help to, called
identification authentication controls, which are used to verify the
identity of individuals seeking access through your systems. For
example, like a user ID and password. In addition, border protection
controls. These would be the firewalls and routers and servers that help
to protect against traffic coming in from the Internet and only limit
that traffic to what is authorized, and as well as traffic exiting the
internal networks going out to the Internet. In addition, physical
security was another area where many agencies had weaknesses and
limiting access to computer resources. By limiting and restricting
physical access to critical IT resources, agencies can take steps to
better protect their information. Another key control that we found
numerous weaknesses, in fact, all 24 of the federal agencies reviewed,
dealt with configuration management, and these are the controls that are
intended to ensure that only valid and current operating systems and
application software are being used, and that patches are installed and
kept up to date, because that, as I mentioned earlier, is very important
because unpatched software and out of date software can often lead to
avenues where attackers can take advantage.

[ Sarah Kaczmarek: ] [ Screen: Table showing information system control
categories reported on. ] Well we have a great question here from Akbar
over e-mail, and this really gets at something that, you know, an
individual or person can really resonate with, and that is they file
their tax returns every year with the IRS, and as everyone knows, you do
enter in a lot of sensitive and personal information, as well as
financial information. So Akbar would like to know, is this information
secure?

[ Greg Wilshusen: ] That is a great question Akbar, and probably one
that many of our viewers would also like to know the answer to. I've
been working at GAO now for 17 years, and every year since that time,
I've had the opportunity to actually audit the Internal Revenue Service
and the security controls it has in place to protect its financial and
taxpayer information. And every year since 1997, we have reported that
IRS has a material weakness in information security controls for
financial reporting purposes. And the material weakness is the most
severe and serious type of weakness that we report on, and this has been
ongoing for a number of years. But over the last few years, IRS has
taken a number of steps in which it has improved the security over its
information and information systems. And this past year, for the first
time, we reported that IRS basically downgraded our material weakness to
a significant deficiency. Now a significant deficiency is still pretty
bad, you know, and, indeed, IRS does need to take additional steps, but
they have been making progress and improvements over its information
security, over taxpayer information. So, the bottom line in terms of is
your information safe, well, there's still risk attribute--associated
with that information, but IRS is attempting to take steps to better
protect it for your convenience.

[ Sarah Kaczmarek: ] Well we have a great follow-up question here from
Nadia over e-mail who asks, what public policies will be the most
successful in both eliminating and managing cyber threats?

[ Greg Wilshusen: ] Well I think in terms of, I don't know if we'll ever
be able to eliminate cyber threats, in large part because many of the
threats are external to the federal government. Of course we do have
insider threats that agencies have to protect against, and there are a
number of steps that agencies can take to try to mitigate and reduce the
risk from insiders. Some of these actions can be, for example, limiting
the amount of access that you give to individuals to only that level of
access needed to perform their job-related responsibilities. Make sure
you have adequate monitoring over the activities of the individuals so
that their--the controls that are in place for the activities that they
perform are checked by the, by another group. And that any one
particular group does not control all aspects of a particular
transaction or activity associated with their use of computers. That's
called segregation of duty. So it's important that agencies implement an
appropriate level of segregation of duties to prevent one individual
from having unnecessary and, and certainly, potentially dangerous access
permissions. So, there are a number of controls and actions that
agencies can do to protect and to try to mitigate insider threat. But as
far as external and cyber threats from foreign nations, hackers, and
that one of the key things that they need to do is first recognize what
those threats are, and then to take the appropriate steps such as
assuring that you limit access to the resources, you have strong
firewall capabilities in place, as well as other types of security
controls that are available to protect information. [ Screen: Table
showing information system control categories reported on. ] And,
indeed, I believe we have a chart and a table that lists the different
types of information system security controls that agencies can
implement to help protect their systems. As we can see from this chart,
there are about 17 of them, and these are the controls that the federal
government and the executive branch have deemed to be particularly
important, since it requires each of the agencies to report on their
implementation of these controls.

[ Sarah Kaczmarek: ] And, again, if you're interested in getting this
chart or the full report, you can find that on our website, it's, the
report number is GAO-13-776, so you can find that table right in the
report, and we've got another good follow-up question on this topic from
Demetri via e-mail, who asks, what would happen if a data breach results
in my personal information being disclosed to somebody who's seeking to
commit identity theft or some kind of financial fraud?

[ Greg Wilshusen: ] That's another great question Demetri. Agencies, if
they suspect that an individual's personally identifiable information
has been involved in the data breach, it, are required by federal policy
to report that breach immediately up to DHS, or to the Department of
Homeland Security. Our work has shown in the past that there are a
number of steps that agencies should be taking in the event that such a
data breach occurs. And, and these include, for example, making sure
that the agency has designated a group, a core group, of senior
officials to monitor and track the incident, to make decisions
determining whether or not certain services, such as credit monitoring
services should be offered, and also whether or not any particular
actions need to be taken in order to protect against such data breaches.
In fact, your question is very similar to one that we received from
Senators Carper, Coburn, and Collins, in which they have asked GAO to
examine agencies' response policies and practices and the implementation
of those policies and practices, in, in response to a data breach. We're
presently conducting that work. It's ongoing, and we expect to issue our
report in November. So, Demetri, please stay tuned for when we issue
that report.

[ Sarah Kaczmarek: ] That's a great point, to definitely follow back up
and see what else we continue to do on this. Let me turn to a really
interesting question from Justin over e-mail who asks, what are some of
the worst-case scenarios that could occur if the government fails in
securing its information security systems?

[ Greg Wilshusen: ] That's a great question, Justin, and, indeed, the
consequences can be quite significant, impacting national security or
economic prosperity, as well as public health and safety. As you may
know, the federal government collects all manner of highly sensitive,
classified, information, and that it uses this information for
conducting various different activities. If the information, for
example, in a military command and control system is corrupted or is
taken over by one of our adversaries, that could have dire consequences
and as the military uses that system in the conduct of operations. And
so, in addition, the information that agencies collect on the taxpayer
information, the financial information, medical information, on our
citizens, is also, can be quite significant. If that information is
disclosed to unauthorized individuals, that could have important
consequences for the individual, to include potential identity theft,
the loss of info--income, or loss of, of financial fraud. And so there
are a number of activities that could have certainly dire consequences
to our nation and to individuals should the compromise of this
information be effected.

[ Sarah Kaczmarek: ] Well, with that in mind and with the findings from
the report, what is GAO recommending out of this report that agencies do
to better protect their information security?

[ Greg Wilshusen: ] Well in this particular report, we make a number of
recommend, actually a couple of recommendations to DHS and OMB, with
respect to refining and developing different performance measures, which
can help them assess the effectiveness of agencies' information security
controls. Indeed, in our prior reports, we have issued hundreds, in
fact, thousands of recommendations to federal agencies with those very
specific, technical, and procedural type recommendations to improve
their security controls. We don't repeat them in this particular
recommendation, but we do recognize that there are a number of
recommendations that we have made relative to agencies. Access controls,
configuration management, segregation of duties, and implementation of
security programs which will help those agencies to better protect their
information.

[ Sarah Kaczmarek: ] Well, Ruth asks over e-mail, this report talks
about agencies can automatically monitor computer systems and
vulnerabilities, so, do you think this is one way that the federal
system--federal government could help address some of the weaknesses in
the system?

[ Greg Wilshusen: ] Yeah, that is a good question Ruth. Indeed, the use
of continuous monitoring, as this automated capability is referred to,
is one of the administration's three key cyber security priority goals.
It wants every agency, for example, to implement an automated capability
to monitor their assets, vulnerabilities, and configurations of their
systems, for 95 percent of their devices by the end of fiscal year 2014.
For fiscal year 2012, that goal was 80 percent. And those, and what we
found in our, as we indicate in our report, while agencies are making
progress to, in implementing this capability, they still have a ways to
go. But, in terms of identifying and perhaps reducing the number of
incidents, and, and weaknesses using this capability, I think initially
we'll likely even raise it, and, just because right now agencies are
required to test and evaluate their systems on a, pretty much an annual
basis, with continuous monitoring, they're going to be examining and
reviewing the, these vulnerabilities on a much more frequent basis. And
by that, they'll be able to identify these control weaknesses sooner,
and hopefully take action, and that's going to be important. It's one
thing to monitor, it's a completely different action to make sure you
take the appropriate recommended remediation to correct that
vulnerability. And just because you know more about them, is a positive,
but you have to act. You're not improving security until you actually
implement the corrective actions to mitigate those vulnerabilities.

[ Sarah Kaczmarek: ] That's a great point, and I want to turn to a
really interesting question from Roger over e-mail, who says, FISMA is
11 years old and was enacted before the Department of Homeland Security
was even established. Do you think that FISMA, or the law that sets out
some of these requirements, needs to be updated?

[ Greg Wilshusen: ] Wow, that is a good question, Roger, and, indeed,
over the last several years, Congress has been looking at various
different bills to update different aspects of, of FISMA. And, indeed, I
would say that it does, there are certain activities and requirements
under FISMA that could be updated. You know, while in the basic
construct of the law is sound, and incorporates best practices
principles, there are a couple areas that could be clarified. For
example, one is just the responsibilities of OMB and the Department of
Homeland Security. As you point out, the Department of Homeland Security
wasn't even created, or had just been initiated, at the time FISMA was
enacted. Recently, in the last couple years, the Office of Management
and Budget, for which FISMA has given primary responsibility for
overseeing and the implementation security controls at the agency, OMB
has given and transferred many of those responsibilities over to the
Department of Homeland Security. And so, in order, so the department has
the appropriate authorities to conduct this oversight it's, you know, it
could be done through a change in legislation into FISMA. And this is
one of the areas that we have made a matter for congressional
consideration in one of our reports. And certainly, the other area that
could be updated is that FISMA requires agencies to test and evaluate
their systems on an, a frequency on about an annual basis. With the
changes in cyber threats and vulnerabilities, and the escalation of new
technologies and federal government computing environments, a more
frequent review and assessment of security controls is needed, and that
gets to the continuous monitoring question that we talked a little bit
about before.

[ Sarah Kaczmarek: ] Alright, well we have a few questions left, but
only a couple of minutes, so, I'm going to wrap up with our last
question today. And that is, so for agencies struggling with this, you
know, what do you see as the bottom line here?

[ Greg Wilshusen: ] Well, I see that agencies, over the last several
years, have made progress in some respects of implementing effective
information security programs, but their progress has been mixed. You
know, while they made progress in a couple of areas, sometimes they
regress, and so, it's particularly important, going forward, that
agencies give the appropriate detail and attention to implementing the
appropriate security controls over their systems. That will be
challenging. In today's environment, with the constrained budgets and
it's going to be challenging, but it's something that agencies have a
duty to do and is certainly something that we will be continuing to
monitor as we go forward.

[ Sarah Kaczmarek: ] Well Greg, thank you so much for taking the time to
join us today and to talk about this topic.

[ Greg Wilshusen: ] Thank you Sarah for having me.

[ Sarah Kaczmarek: ] Absolutely. And, thanks everyone for tuning in
today. We really appreciate you taking the time to join us and to send
in your questions. For more information from the Government
Accountability Office, you can find information online at our website,
that's gao.gov. We're on Facebook at facebook.com/usgao. Or on Twitter
at usgao. And we're on LinkedIn, as well. So, thank you all so much for
taking the time to be with us today, and we hope you tune in again next
time.

 [ Background Music ]

[ Final Screen ]
AskGAOLive
THANK YOU FOR TUNING IN TODAY
Please send any feedback to AsiGAOLive@gao.gov and check back here for
future chats.
U.S. GOVERNMENT ACCOUNTABILITY OFFICE