Government Accountability Offices Finds Government Still Mostly Terrible When It Comes To Cybersecurity

from the can't-even-secure-a-filing-cabinet,-apparently dept

The government has done a spectacularly terrible job at protecting sensitive personal information over the past couple of years. Since 2013, the FDA, US Postal Service, Dept. of Veterans Affairs, the IRS and the Office of Personnel Management have all given up personal information. So, it's no surprise the Government Accountability Office's latest report on information security contains little in the way of properly-secured information.



It opens with this depressing graph, showing just how many agencies flunked its information security controls assessment. Keep in mind that it only surveyed 24 agencies.



...a report of PII [personally-identifiable information] spillage or possible mishandling of PII that involves hard copies or printed material as opposed to digital records.

[T]he number of information security incidents involving PII reported by federal agencies has more than doubled in recent years, from 10,481 in 2009 to 27,624 in 2014.

OMB established a fiscal year 2014 target of 75 percent implementation for strong authentication. In its report on fiscal year 2014 FISMA implementation, OMB indicated that the 24 federal agencies covered by the CFO Act had achieved a combined 72 percent implementation of these requirements, but this number dropped to only 41 percent implementation for the 23 civilian agencies when excluding DOD.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

But what's most concerning about the report (which is full of concerning conclusions) is that, in an era of cyber-everything, the most common "security incidents" have nothing to do with phishing, security holes or any other cyber-related threat. They have to do with people and the mishandling of dead tree byproducts.Non-cyber incidents are defined by the GAO as:The GAO reports that security incidents have skyrocketed over the past eight years, from 5,500 in 2006 to nearly 70,000 last year.It also notes that incidents involving personally-identifiable information have increased steadily as well.It all adds up to something fairly disturbing. Not only are government agencies increasingly under attack from outside forces, but their internal handling of hard-copy PII is getting worse as well -- even if the percentage of non-cyber incidents has declined over the past five years.And despite the government's increased focus on all things cyber, the first chart makes it clear there has been almost no improvement in information security controls since 2013.It also appears as though there's only one agency taking the GAO's past recommendations seriously: the Department of Defense.Obviously, overhauling security controls in a large number of agencies is an enormous undertaking. But this low level of implementation is both frighteningpathetic. The government demands large amounts of personal information from citizens, as well as from its employees and job applicants. There's no opting out. Then it takes this information and provides only the most perfunctory of protections. Government agencies clearly can't be trusted with securing this information, but there's no option other than to submit and hope for the best. It's even more disheartening when you realize that some of these directives thathaven't been fully complied with have been in place sinceThe government asks for too much and provides too little in return. Multiple agencies want to be the "ground force" in the cyberwar . But until the homefront is secured, it seems unwise to deploy elsewhere.

Filed Under: cybersecurity, dod, gao, government, nsa