Between 2006 and 2015, U.S. federal agencies have endured a staggering 1,300 percent rise in cyber incidents, according to a recent government report. Although there are several laws and established frameworks in place relating to securing the government’s information, “implementation of this framework has been inconsistent,” the report said, resulting in an environment in which “federal information systems and networks are inherently at risk.”
The complexity and diversity of the government’s information networks is a hindrance. “This complexity increases the difficulty in identifying, managing and protecting the myriad of operating systems, applications and devices comprising the systems and networks,” wrote Greg Wilshusen, director of Information Security Issues for the Government Accountability Office (GAO), which produced the report. “Compounding the risk, systems used by federal agencies are often riddled with security vulnerabilities—both known and unknown.”
A national vulnerability database, maintained by the MITRE Corporation, has identified 78,907 publicly known cybersecurity threats and exposures located within government systems, the report said, “with more being added each day.” Many federal systems are interconnected with external systems, including the internet, which makes them all the more susceptible to cyber attacks, the report said.
As of 2006, there had been 5,503 cyber “events” identified within federal agencies. By 2015, that number jumped to 77,183. The backstory, the GAO noted, is that over the last several years, it suggested about 2,500 changes that federal agencies should make to decrease vulnerabilities to cyber incidents. To date, nearly 1,000 of those recommendations have yet to be implemented, the report said.
More concerning are the increases in incidents that “could threaten national security and public health and safety, or lead to inappropriate access to and disclosure, modification or destruction of sensitive information,” the report said.
Ultimately, the GAO urged all federal agencies to increase their cyber workforce, improve their response times to cyber incidents and move toward a government-wide intrusion detection system.