The Government Accountability Office (GAO) recently issued two reports on battling cyber threats that are useful for both private and public entities. The first report, issued July 2, 2015, was entitled Cybersecurity: Bank and Other Depository Regulators Need Better Data Analytics and Depository Institutions Want More Usable Threat Information. In that report, the GAO noted that while, “[d]epository institutions obtain cyber threat information from multiple sources, including federal entities such as the Department of the Treasury (Treasury)[,] [r]epresentatives from more than 50 financial institutions told GAO that obtaining adequate information on cyber threats from federal sources was challenging.” One particular challenge is that “[i]nformation that is shared about cyber threats and actual attacks was not always seen as having sufficient context or details to allow depository institutions to take definitive actions to protect themselves.”
Furthermore, many bank regulators do not have enough examiners with the necessary skills to perform IT examinations and therefore, depository institutions, especially smaller ones, may not be receiving adequate information from regulatory exams to identify problems. The GAO noted that the Treasury has taken steps to improve the flow of information between federal authorities and depository institutions formed a “special group that works with other law enforcement and intelligence agencies to obtain declassified information and share it with financial institutions in a series of circulars.”
The second report was issued on July 8, 2015 entitled Information Security: Cyber Threats and Data Breaches Illustrate Need for Stronger Controls across Federal Agencies. In this report, the GAO highlighted important deficiencies in how federal agencies are securing their systems and information. The GAO noted “the sharp increase in information security incidents reported by federal agencies over the last several years, which have risen from 5,503 in fiscal year 2006 to 67,168 in fiscal year 2014.” The report also noted that 19 of 24 major agencies declared that cybersecurity was a significant deficiency or a material weakness for financial reporting purposes. The GAO highlighted several important government initiatives to bolster cybersecurity including:
- Personal Identity Verification: The President and the Office of Management and Budget (OMB) directed agencies to issue credentials with enhanced security features to control access to federal facilities and systems. OMB recently reported that only 41 percent of user accounts at 23 civilian agencies had required these credentials to access agency systems.
- Continuous Diagnostics and Mitigation: This program is to provide agencies with tools for continuously monitoring cybersecurity risks.
- National Cybersecurity Protection System: This system is to provide capabilities for monitoring network traffic and detecting and preventing intrusions. GAO has ongoing work reviewing the system’s implementation.
Finally, the GAO noted that “[w]hile these initiatives are intended to improve security, no single technology or tool is sufficient to protect against all cyber threats. Rather, agencies need to employ a multi-layered approach to security that includes well-trained personnel, effective and consistently applied processes, and appropriate technologies.
All institutions can benefit from these reports. First, information sharing is critical to thwarting cyber crime. This includes sharing between private entities and private and public entities. Second, institutions need to employ a multi-prong approach to battling cyber threats. There is no one-size-fits-all approach to this exercise.