Agencies Seek Better DHS Incident Response Aid
GAO Report: Agencies Provide Pros, Cons on DHS AssistanceA number of large federal agencies would like to see the Department of Homeland Security, including its U.S. CERT unit, enhance services to help them address cyber-incidents, according to a Government Accountability Office report.
The 24 large federal agencies that the GAO surveyed for its report issued May 30 generally expressed satisfaction with DHS's assistance but identified improvements they believe would make certain services more useful, such as developing realistic timeframes to report incidents, the GAO report says.
Among the comments the agencies shared with GAO:
- Time frames are difficult to meet.
- The incident categories are no longer practical. Attributes that contribute to classification are not unique between the categories and it allows for too much discretion and interpretation. The categories are long overdue for updates.
- A category that separates data loss from unauthorized access would be beneficial.
- A category specific to phishing and advanced persistent threats would be helpful.
- Sub-categories to further identify the incident and how it happened should be added.
The GAO has made similar recommendations to DHS in the past. DHS officials told the GAO they're discussing with the Office of Management and Budget requirements to improve incident reporting guidance for agencies.
Satisfaction with Services Provided by DHS, as Reported by Agencies
Many of the findings in the report, Information Security: Agencies Need to Improve Cyber Incident Response Practices, were revealed in April, when GAO's Gregory Wilshusen told the Senate Homeland Security and Governmental Affairs Committee that major federal government agencies, for the most part, failed to respond effectively to cyber-incidents (see GAO: Federal Incident Response is Erratic).
Wilshusen, GAO's director of information security issues, say it's essential for agencies to manage effective incident response activities as they face increasing and more threatening cyber-incidents. "However, agencies did not consistently demonstrate that they responded to cyber-incidents in an effective manner," he says in the report. "Although agencies often demonstrated that they carried out various aspects of incident response activities, documenting all of the steps taken to analyze, contain, eradicate, and recover from incidents are important actions for agencies to take to ensure that incidents are being appropriately addressed."
The number of information security incidents at federal agencies has grown dramatically in recent years, more than doubling from 2009 through 2013, according to a GAO analysis of U.S.-CERT statistics.
The United States Computer Emergency Response Team serves as the central information security incident center required by the Federal Information Security Management Act.
Information Security Incidents by Category, Fiscal Year 2013
Wilshusen, in the report, calls on U.S.-CERT to develop metrics to evaluate the effectiveness of its cyber-incident assistance to agencies.
U.S.-CERT gathers monthly statistics on activities such as the number of on-site or remote technical assistance engagements it performs month, or the number of pieces of malware analyzed by staff. A U.S.-CERT official told the GAO those numbers are driven by factors outside of its control, and, as a result, indicate activity levels rather than performance measures. The official said U.S.-CERT continues to try to identify meaningful performance measures.
It's important that they succeed, Wilshusen says. "Without results-oriented performance measures, U.S.-CERT will face challenges in ensuring it is effectively assisting federal agencies with preparing for and responding to cyber incidents."