Skip to main content

Government IT Systems Still at Risk

Posted on October 06, 2015

Lately, it’s a recurring news story—another hack, leak, or breach, and sensitive information is compromised. We’ve long identified information system security as a high-risk area throughout the government. So for October’s Cybersecurity Awareness Month, we’re highlighting federal cybersecurity challenges.

Secure systems to secure the nation

Reported cybersecurity incidents at federal agencies grew more than twelvefold from 2006 to 2014.

GAO-15-758t(Excerpted from GAO-15-758T)

These incidents can result in the release of sensitive and personal information, theft of intellectual property, destruction or disruption of critical systems, and damage to economic and national security.

Agencies are supposed to protect themselves against threats from hackers, terrorists, insiders, and other nations. To secure federal IT systems, agencies should

  1. limit access or detect who accesses programs, computers, and facilities
  2. prevent unauthorized changes to programs and computers
  3. split responsibilities so no single person controls everything
  4. plan for problems to keep operations running during emergencies
  5. manage security so risks are understood and addressed.

But agencies have struggled to implement these security measures. In fact, we found that most of the 24 major federal agencies had persistent weaknesses in 3 or more of these areas. These weaknesses could expose confidential information or even take down entire systems.

It’s getting personal

Despite the vast amount of information they collect, agencies don’t always have policies and procedures to assess risks and protect the personal information of citizens and residents.

For example, in 2014 we reported that the Centers for Medicare & Medicaid Services hadn’t fully assessed privacy risks related to systems supporting Healthcare.gov, the federal health insurance marketplace. Until these and other weaknesses are addressed, Healthcare.gov and its related systems face unnecessary risks.

Critical threats to critical infrastructure

The nation’s critical infrastructure is also vulnerable to cyberattacks. Most of that infrastructure—power plants, phone lines, hospitals—is owned and operated by the private sector, which means that the private sector and the government have to work closely together to protect these critical assets.

However, federal agencies haven’t always been on top of this. For instance, we recently found that the FAA had significant weaknesses in securing air traffic control systems. If these weaknesses were exploited, the impact on air safety could be devastating. Listen to Greg Wilshusen, a director in our Information Technology team, explain:

Fixes, not patches

The proliferation of cyber threats makes cybersecurity a daunting challenge for the federal government. To help meet these challenges, we have made hundreds of recommendations aimed at strengthening agencies’ cybersecurity. It will take coordinated effort across the government, with strong strategic direction from the White House and effective oversight, to make sure that federal agencies are taking all the necessary steps to protect our nation’s systems and information.


GAO Contacts

Gregory C. Wilshusen
Gregory C. Wilshusen
Director
Information Technology and Cybersecurity

Related Products

About Watchblog

GAO's mission is to provide Congress with fact-based, nonpartisan information that can help improve federal government performance and ensure accountability for the benefit of the American people. GAO launched its WatchBlog in January, 2014, as part of its continuing effort to reach its audiences—Congress and the American people—where they are currently looking for information.

The blog format allows GAO to provide a little more context about its work than it can offer on its other social media platforms. Posts will tie GAO work to current events and the news; show how GAO’s work is affecting agencies or legislation; highlight reports, testimonies, and issue areas where GAO does work; and provide information about GAO itself, among other things.

Please send any feedback on GAO's WatchBlog to blog@gao.gov.