The federal government is not learning critical lessons in cyber incident response because agencies are not effectively documenting how they respond to attacks or what the impact of those attacks have been on their operations, according to a new report from the Government Accountability Office.
In its study of two dozen major federal agencies, GAO found most “did not consistently demonstrate that they are effectively responding to cyber incidents.” The report, conducted from February 2013 to April 2014, also found that in approximately 65 percent of the cases studied, agencies didn’t document the actions they took to respond to these incidents.
Throughout fiscal year 2013, the United States Computer Emergency Readiness Team received 46,160 cyber incident reports. Of those incidents, 43,931 impacted the 24 agencies studied by GAO.
“Agencies frequently documented their incident response actions for containing and eradicating incidents, but did not consistently demonstrate how they had handled incident response activities for the analysis, recovery and post-incident phases,” the report said.
One of the ways agencies failed to demonstrate incident response was through a definition of roles and responsibilities within the organization.
Only two of the agencies studied had a responsibility structure in place. The Transportation Department’s cybersecurity policy involves using the Computer Security Incident Response Center to implement and monitor the agency’s response plans. NASA also has a defined responsibility structure established in its information security handbook, the report said.
Other agencies partially define their roles and responsibilities. On the Justice Department’s survey response, its information security policy defines the department’s roles and responsibilities, but the agency did not include information on who had the authority to confiscate equipment or provide an example when an incident escalates.
The Department of Veterans Affairs defined roles and responsibilities, but didn’t include authorities for the incident response team, according to the report.
Some agencies also failed to consider the potential impact and categorization of a cyber incident. The variance in the GAO’s sample was too large for the agency to project a percentage, but at least two of the agencies studied said they had considered the impact of the response after a threat was detected. In the categorization process, 11 agencies said they did not put the potential impact into a low, moderate or high category.
“Agencies risk ineffective and more costly incident response if they do not account for an incident’s impact,” the report said.
In most cases, though, GAO found agencies did halt or stop a cyber incident from turning into something that could harm the federal government.
“Specifically, our analysis shows that agencies had recorded actions to halt the spread of, or otherwise limit, the damage caused by an incident in about 75 percent of incidents governmentwide,” the report said.
According to the report, agency officials reported to GAO they were satisfied with their agency’s response to cyber incidents; however, some did acknowledge that reporting requirements needed to be improved.
GAO recommended the Office of Management and Budget and the Department of Homeland Security address incident response practices across the government. The report also said agencies can improve their methods of responding to cyber incidents through DHS and OMB CyberStat reviews. DHS was charged with using US-CERT to provide measures of how effective their assistance to agencies is.
“Cyber-based attacks on federal systems have become not only more numerous and diverse but also more damaging and disruptive,” the report states. “Protecting the information systems and the information that resides on them and effectively responding to a cyber incidents is important to federal agencies because the unauthorized disclosure, alteration, and destruction of the information on those systems can result in great harm to those involved.”