Information Security: Cyberattacks, Data Breaches and Security Controls

Federal agencies and our nation's critical infrastructures, such as communications and financial services, are dependent on information technology systems and electronic data to carry out operations and to process, maintain, and report essential information. Yet, cyber-based intrusions and attacks on federal and nonfederal systems have become not only more numerous and diverse, but also more damaging and disruptive as discussed in chapter 1. The IRS has a demanding responsibility to collect taxes, process tax returns, and enforce the nation's tax laws. It relies extensively on computerized systems to support its financial and mission-related operations and on information security controls to protect the sensitive financial and taxpayer information that reside on those systems. As part of its audit of IRS's fiscal year 2017 and 2016 financial statements, GAO assessed whether controls over financial and tax processing systems were effective in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer information as reported in chapter 2. Reliance on a global supply chain introduces multiple risks to federal information systems. Chapter 3 highlights information security risks associated with the supply chains used by federal agencies to procure IT systems. The Office of Personnel Management (OPM) collects and maintains personal data on millions of individuals, including data related to security clearance investigations. In June 2015, OPM reported that an intrusion into its systems had affected the personnel records of about 4.2 million current and former federal employees. Then, in July 2015, the agency reported that a separate but related incident had compromised its systems and the files related to background investigations for 21.5 million individuals. From February 2015 through August 2017, multiple reviews of OPM's information security were conducted. Four reports based on these reviews were issued. The reports contained 80 recommendations for improving the agency's security posture. Chapter 4 reviews relevant documents and artifacts reflecting OPM''s actions and progress toward implementing the 80 recommendations contained in the four reports, and assessed the actions against the intent of the recommendations. CDC is responsible for detecting and responding to emerging health threats and controlling dangerous substances. In carrying out its mission, CDC relies on information technology systems to receive, process, and maintain sensitive data. Accordingly, effective information security controls are essential to ensure that the agency's systems and information are protected from misuse and modification. Chapter 5 reviews the extent to which CDC has taken corrective actions to address the previously identified security program and technical control deficiencies and related recommendations for improvement. Federal agencies are dependent on information systems to carry out operations. The risks to these systems are increasing as security threats evolve and become more sophisticated. To reduce the risk of a successful cyberattack, agencies can deploy intrusion detection and prevention capabilities on their networks and systems. Chapter 6 determined the reported effectiveness of agencies' implementation of the government's approach and strategy; the extent to which DHS and OMB have taken steps to facilitate the use of intrusion detection and prevention capabilities to secure federal systems; and the extent to which agencies reported implementing capabilities to detect and prevent intrusions. Recent large-scale data breaches of public and private entities have put hundreds of millions of people at risk of identity theft or other harm. Chapter 7 reviews issues related to consumers' options to address risks of harm from data breaches and examines information and expert views on the effectiveness of consumer options to address data breach risks. While Chapter 8 considers the answer to this question: what legal obligations do Internet companies have to prevent and respond to data breaches? Then discusses several factors Congress might consider when weighing future legislation.