Government auditors say security deficiencies and “persistent weaknesses” across the board have put critical information systems at risk and continues to warrant wide-scale changes to the way federal databases and networks are maintained.
The Government Accountability Office concluded in a 71-page report published on Tuesday that the number of cyber incidents suffered by federal agencies continue to climb, notwithstanding relentless calls for reform made in the wake of recent major security breaches.
According to the group’s analysis, the number of information security incidents that have affected systems supporting the federal government climbed from 5,503 in fiscal year 2006 to 67,168 in fiscal year 2014 — an 1,121 percent increase across two-dozen federal agencies, including the now infamously breached Office of Personnel Management.
Despite the blatant surge over incidents during the eight years span, the agency said in its report that departments have been warned repeatedly over routinely apparent security lapses capable of placing critical systems and databases used to support the operations, assets and employees of federal agencies at risk.
“GAO and inspectors general have made hundreds of recommendations to agencies to address deficiencies in their information security controls and weaknesses in their programs, but many of these recommendations remain unimplemented,” the report reads in part.
“Federal agencies’ information and systems remain at a high risk of unauthorized access, use, disclosure modification and disruption,” wrote Gregory Wilshusen, the information security issues director for GAO. “These risks are illustrated by the wide array of cyber threats, an increasing number of cyber incidents and breaches of [personally identifiable information] occurring at federal agencies.”
SEE ALSO: Dimitry Belorossov, Russian cybercriminal, sentenced over ‘Citadel’ malware
Poor cybersecurity, improperly implemented configuration management, inadequate guidance and the infrequent segregation of duties are among the major factors behind the events, the GAO said.
The auditors noted that the number of security incidents concerning personally identifiable information, such as Social Security numbers and other sensitive data, has more than doubled during the course of five years to 27,624 in 2014.
Breaches endured that year by OPM but not revealed until 2015 allowed the personal records and biometric information for millions of government workers to be compromised and spawned an international dispute between the U.S. and the hack’s apparent culprit, China.
“Until agencies correct longstanding control deficiencies and address the hundreds of recommendations that we and agency inspectors general have made, federal systems will remain at increased and unnecessary risk of attack or compromise,” the report reads.
Last month, the results of an investigation led by a congressional committee revealed that hackers had breached the Department of Health and Human Services no fewer than five times in three years. Speaking to those statistics, the chairs of the Oversight and Investigations Subcommittee said in a joint statement that it’s “alarming and unacceptable” that HHS had made the data of Americans vulnerable to attack. Policy changes that enabled the Department of Homeland Security to conduct regular and proactive vulnerability scans on some government networks starting earlier this year have already allow cyber investigators to file hundreds of reports, the GAO noted, suggesting security incidents during fiscal year 2015 stand a chance of not surging higher.
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.