Government Accountability Offices Finds Government Still Mostly Terrible When It Comes To Cybersecurity

from the can't-even-secure-a-filing-cabinet,-apparently dept

The government has done a spectacularly terrible job at protecting sensitive personal information over the past couple of years. Since 2013, the FDA, US Postal Service, Dept. of Veterans Affairs, the IRS and the Office of Personnel Management have all given up personal information. So, it's no surprise the Government Accountability Office's latest report on information security contains little in the way of properly-secured information.

It opens with this depressing graph, showing just how many agencies flunked its information security controls assessment. Keep in mind that it only surveyed 24 agencies.


But what's most concerning about the report (which is full of concerning conclusions) is that, in an era of cyber-everything, the most common "security incidents" have nothing to do with phishing, security holes or any other cyber-related threat. They have to do with people and the mishandling of dead tree byproducts.


Non-cyber incidents are defined by the GAO as:
...a report of PII [personally-identifiable information] spillage or possible mishandling of PII that involves hard copies or printed material as opposed to digital records.
The GAO reports that security incidents have skyrocketed over the past eight years, from 5,500 in 2006 to nearly 70,000 last year.


It also notes that incidents involving personally-identifiable information have increased steadily as well.
[T]he number of information security incidents involving PII reported by federal agencies has more than doubled in recent years, from 10,481 in 2009 to 27,624 in 2014.
It all adds up to something fairly disturbing. Not only are government agencies increasingly under attack from outside forces, but their internal handling of hard-copy PII is getting worse as well -- even if the percentage of non-cyber incidents has declined over the past five years.

And despite the government's increased focus on all things cyber, the first chart makes it clear there has been almost no improvement in information security controls since 2013.

It also appears as though there's only one agency taking the GAO's past recommendations seriously: the Department of Defense.
OMB established a fiscal year 2014 target of 75 percent implementation for strong authentication. In its report on fiscal year 2014 FISMA implementation, OMB indicated that the 24 federal agencies covered by the CFO Act had achieved a combined 72 percent implementation of these requirements, but this number dropped to only 41 percent implementation for the 23 civilian agencies when excluding DOD.
Obviously, overhauling security controls in a large number of agencies is an enormous undertaking. But this low level of implementation is both frightening and pathetic. The government demands large amounts of personal information from citizens, as well as from its employees and job applicants. There's no opting out. Then it takes this information and provides only the most perfunctory of protections. Government agencies clearly can't be trusted with securing this information, but there's no option other than to submit and hope for the best. It's even more disheartening when you realize that some of these directives that still haven't been fully complied with have been in place since 2002.

The government asks for too much and provides too little in return. Multiple agencies want to be the "ground force" in the cyberwar. But until the homefront is secured, it seems unwise to deploy elsewhere.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cybersecurity, dod, gao, government, nsa


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 7 Oct 2015 @ 2:30pm

    If only the US government treated cybersecurity seriously and didn't try to numb people to their requests by trying to push new surveillance bills with the label "cybersecurity" on them.

    It's like the boy who cried wolf. If they keep pushing stupid surveillance bills like CISA as "cybersecurity", even though they'll do nothing to improve cyberseurity and may even make things worse, by allowing incompetent government employees access to millions of people's data, there will be a time when they'll need a "real" cybersecurity bill to pass, and no one will want it anymore.

    link to this | view in thread ]

  2. identicon
    Bob elod, 7 Oct 2015 @ 3:27pm

    I believe the problem is the perception of the worth of the information and the consequences if it was lost, stolen,or tampered.
    A lot of people (in government and outside it) consider military weapons and technology worth securing. If military data is comprised it could easily mean catastrophe by the loss of life from unintended targets like civilians, your own sides military personnel, or very expensive equipment and buildings. Since the DoD already has protections in place for classified data the same techniques, tools, and personnel can be applied more easily to its PII as well.

    Now look at just PII. I am sure most if not all readers of TechDirt value their privacy and PII. But a lot of people (both in and outside government) don't consider it as important to safeguard. The evidence can be found in the posts people make on social media, their complacency when accepting terms and conditions that collect data in exchange for some small piece of functionality in an app or to play a game. Government agencies being run by people are no different in the cavalier attitude towards PII.
    It comes down to what people consider most important and nobody will die if PII is lost, stolen, or tampered. At least that is what people think until they are the victims of identity theft. I bet anyone who has been a victim would argue that they might as well be dead since their information was exploited. After being victimized the true value of PII suddenly comes into play. Until everyone sees how important safeguarding PII truely is don't expect much to be done by government or people in general.

    link to this | view in thread ]

  3. icon
    bosconet (profile), 7 Oct 2015 @ 4:21pm

    Spend the money

    link to this | view in thread ]

  4. icon
    bosconet (profile), 7 Oct 2015 @ 4:28pm

    Re:

    that was an unfinished comment.

    Let's consider this, it doesn't matter if they spend the $ for real security or just keep with the status quo. Breaches are now accepted so why bother really fixing anything in a meaningful way.

    link to this | view in thread ]

  5. identicon
    Yes, I know I'm commenting anonymously, 8 Oct 2015 @ 4:08am

    The law of Data Security

    Just another example of the Laws of Data Security:
    1. No-one properly secures someone else's data;
    2. Almost no-one knows how (in)secure they store their own data;
    3. There is no secure way of storing digital data online.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 8 Oct 2015 @ 5:19am

    Those who can, do.
    Those who can't, teach.
    Those who can't teach, teach Phys Ed.
    Those who can't teach Phys Ed, work in IT for the government.

    link to this | view in thread ]

  7. identicon
    Personanongrata, 8 Oct 2015 @ 9:01am

    NO

    Government agencies clearly can't be trusted with securing this information, but there's no option other than to submit and hope for the best.

    There actually is an option it is called the word NO which can be the most powerful word a free person may articulate.

    Does using NO in this instance come with certain personal risks and or potential sacrifices? Yes it does but sometimes human liberty comes before genuflection to power.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.