The Government Accountability Office released a 24 page document on their findings regarding cybersecurity within the Federal government. Not surprisingly, the report finds that threats are growing in frequency, with a 200% rise in incidents between 2006 and 2008.
According to the report, which can be found here:
Compounding the growing number and kinds of threats, GAO—along with agencies and their inspectors general—has identified significant weaknesses in the security controls on federal information systems, resulting in pervasive vulnerabilities. These include deficiencies in the security of financial systems and information and vulnerabilities in other critical federal information systems. GAO has identified weaknesses in all major categories of information security controls at federal agencies. For example, in fiscal year 2008, weaknesses were reported in such controls at 23 of 24 major agencies.
Specifically, agencies did not consistently authenticate users to prevent unauthorized access to systems; apply encryption to protect sensitive data; and log, audit, and monitor security-relevant events, among other actions.
Note that authentication is sited as the number one problem and DNSSEC is the only effective way of authenticating who is whom on the Internet. DNSSEC will go a long way to improve government and infrastructure computer networks and time is of the essence. According to a recent report by McAfee (Report: Countries prepping for cyberwar) the threats are real:
Major countries and nation-states are engaged in a "Cyber Cold War," amassing cyberweapons, conducting espionage, and testing networks in preparation for using the Internet to conduct war, according to a new report to be released on Tuesday by McAfee.
The GAO report validates my impression that the US Government is more talk than action. I attend government oriented cybersecurity conferences and my company is heavily involved in DNSSEC deployment. Despite much rhetoric, the pace of security improvement is slow and the funding has not been adequate.
DNSSC deployment in Federal agencies is far behind the target to meet OMB mandated adoption of DNSSEC by the end of 2009. One reason for this lack of compliance is lack of funding and another is lack of attention from the Obama Administration.
An authenticated Internet will boost the economy and help achieve other key goals. We are crazy to think we can put medical records on-line without DNSSEC.
The time for talk is past, it is time for action.
Comments