Federal Agencies Get a 35% in Cyber Incident Response

GAO reviewed federal agencies’ ability to respond to cyber incidents using a statistical sample of cyber incidents reported in fiscal year 2012 to project whether 24 major federal agencies demonstrated effective response activities. GAO also evaluated incident response policies, plans, and procedures at 6 randomly-selected federal agencies to determine adherence to federal guidance (Energy, Justice, HUD, Transportation VA, and NASA). In its resulting report Agencies Need to Improve Cyber Incident Response Practices GAO determined that 24 major federal agencies did not consistently demonstrate that they are effectively responding to the cyber incidents they are encountering.

In the study, GAO conducted a statistical sample of the nearly 35 thousand cyber incidents reported by federal agencies in fiscal year 2012. In about 65 percent of reported incidents, GAO concluded that the 24 agencies in the study did not effectively or consistently demonstrate their actions taken in response to a detected incident. An agency might document how they contain or eradicate a threat, but they are not consistent in how they handle the analysis, recovery, and post-incident phases of incident response.

Several specific finding in the report include:

• Scope vs. impact – Agencies identified the scope of an incident in about 91 percent of cases, but frequently did not demonstrate that they had determined the impact of an incident (emphasis added.) Two of the 6 selected agencies demonstrated that they had considered impact, the other 4 did not. (The variance in the statistical sample was too great to project a percentage.)
  
  
• Uneven approaches – The 6 agencies reviewed had developed policies, plans, and procedures to guide their incident response activities, but these were not comprehensive or consistent with government-wide federal requirements.
  
  
• Inconsistent damage control – While agencies had recorded actions to halt the spread of, or otherwise limit the damage caused by an incident in about 75 percent of the cases, that still left about 25 percent of incidents across government where agencies did not demonstrate such actions.
  
  
• Incomplete eradication – Once identified and halted, agencies demonstrated that they completed their eradication steps for about 77 percent of incidents government-wide. However, in about 23 percent of incidents agencies did not demonstrate that they had effectively eradicated the incident.
  
  
• Recurrence prevention – In about 49 percent of incidents across government agencies did not demonstrate that they had taken remedial actions to prevent an incident from reoccurring.
  
  
• Cost-awareness – While GAO found that agencies generally updated their policies or procedures on handling cyber-incidents, they did not consistently capture the costs of responding to an incident. Only 1 of the selected 6 agencies GAO reviewed and 12 of 24 agencies they surveyed reported that they had captured the costs of responding to an incident.
  
  

Implications

To overcome these and other shortfalls in incident response practices GAO recommended that OMB and DHS add this area to each agency’s CyberStat reviews.

It seems that each month brings yet another element or initiative aimed at addressing the federal government’s cybersecurity posture. DHS’s Continuous Diagnostics and Mitigation program and other continuous monitoring efforts seek to help agencies get a handle on what’s happening on their networks and how to bake security into their systems. This and other GAO recommendations join the plethora of concurrent federal cybersecurity initiatives from the other direction – how agencies effectively and consistently respond to incidents when they come.

The multiple angles, levels and volume by which cybersecurity is being addressed reveals just how critical the issue is and how vulnerable our systems remain.