oversight

Cybersecurity: Threats Impacting the Nation

Published by the Government Accountability Office on 2012-04-24.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                            United States Government Accountability Office

GAO                         Testimony
                            Before the Subcommittee on Oversight,
                            Investigations, and Management,
                            Committee on Homeland Security, House
                            of Representatives
                            CYBERSECURITY
For Release on Delivery
Expected at 2:00 p.m. EDT
Tuesday, April 24, 2012



                            Threats Impacting the
                            Nation
                            Statement of Gregory C. Wilshusen, Director
                            Information Security Issues




GAO-12-666T
                                               April 24, 2012

                                               CYBERSECURITY
                                               Threats Impacting the Nation

Highlights of GAO-12-666T, a testimony
before the Subcommittee on Oversight,
Investigations, and Management, Committee
on Homeland Security, House of
Representatives


Why GAO Did This Study                         What GAO Found
Nearly every aspect of American                The nation faces an evolving array of cyber-based threats arising from a variety
society increasingly depends upon              of sources. These threats can be intentional or unintentional. Unintentional
information technology systems and             threats can be caused by software upgrades or defective equipment that
networks. This includes increasing             inadvertently disrupt systems, and intentional threats can be both targeted and
computer interconnectivity, particularly       untargeted attacks from a variety of threat sources. Sources of threats include
through the widespread use of the              criminal groups, hackers, terrorists, organization insiders, and foreign nations
Internet as a medium of                        engaged in crime, political activism, or espionage and information warfare. These
communication and commerce. While              threat sources vary in terms of the capabilities of the actors, their willingness to
providing significant benefits, this
                                               act, and their motives, which can include monetary gain or political advantage,
increased interconnectivity can also
                                               among others. Moreover, potential threat actors have a variety of attack
create vulnerabilities to cyber-based
threats. Pervasive and sustained cyber
                                               techniques at their disposal, which can adversely affect computers, software, a
attacks against the United States could        network, an organization’s operation, an industry, or the Internet itself. The
have a potentially devastating impact          nature of cyber attacks can vastly enhance their reach and impact due to the fact
on federal and nonfederal systems,             that attackers do not need to be physically close to their victims and can more
disrupting the operations of                   easily remain anonymous, among other things. The magnitude of the threat is
governments and businesses and the             compounded by the ever-increasing sophistication of cyber attack techniques,
lives of private individuals. Accordingly,     such as attacks that may combine multiple techniques. Using these techniques,
GAO has designated federal                     threat actors may target individuals, businesses, critical infrastructures, or
information security as a                      government organizations.
governmentwide high-risk area since
1997, and in 2003 expanded it to               The threat posed by cyber attacks is heightened by vulnerabilities in federal
include protecting systems and assets          systems and systems supporting critical infrastructure. Specifically, significant
vital to the nation (referred to as critical   weaknesses in information security controls continue to threaten the
infrastructures).                              confidentiality, integrity, and availability of critical information and information
                                               systems supporting the operations, assets, and personnel of federal government
GAO is providing a statement that              agencies. For example, 18 of 24 major federal agencies have reported
describes (1) cyber threats facing the         inadequate information security controls for financial reporting for fiscal year
nation’s systems, (2) vulnerabilities          2011, and inspectors general at 22 of these agencies identified information
present in federal information systems
                                               security as a major management challenge for their agency. Moreover, GAO,
and systems supporting critical
                                               agency, and inspector general assessments of information security controls
infrastructure, and (3) reported cyber
incidents and their impacts. In                during fiscal year 2011 revealed that most major agencies had weaknesses in
preparing this statement, GAO relied           most major categories of information system controls. In addition, GAO has
on previously published work in these          identified vulnerabilities in systems that monitor and control sensitive processes
areas and reviewed more recent GAO,            and physical functions supporting the nation’s critical infrastructures. These and
agency, and inspectors general work,           similar weaknesses can be exploited by threat actors, with potentially severe
as well as reports on security incidents.      effects.

What GAO Recommends                            The number of cybersecurity incidents reported by federal agencies continues to
                                               rise, and recent incidents illustrate that these pose serious risk. Over the past 6
GAO has previously made                        years, the number of incidents reported by federal agencies to the federal
recommendations to resolve identified          information security incident center has increased by nearly 680 percent. These
significant control deficiencies.              incidents include unauthorized access to systems; improper use of computing
                                               resources; and the installation of malicious software, among others. Reported
                                               attacks and unintentional incidents involving federal, private, and infrastructure
                                               systems demonstrate that the impact of a serious attack could be significant,
                                               including loss of personal or sensitive information, disruption or destruction of
View GAO-12-666T. For more information,
contact Gregory C. Wilshusen at (202) 512-     critical infrastructure, and damage to national and economic security.
6244 or wilshuseng@gao.gov.

                                                                                        United States Government Accountability Office
Chairman McCaul, Ranking Member Keating, and Members of the
Subcommittee:

Thank you for the opportunity to testify at today’s hearing on the cyber-
based threats facing our nation.

The increasing dependency upon information technology (IT) systems
and networked operations pervades nearly every aspect of our society. In
particular, increasing computer interconnectivity—most notably growth in
the use of the Internet—has revolutionized the way that our government,
our nation, and much of the world communicate and conduct business.
While bringing significant benefits, this dependency can also create
vulnerabilities to cyber-based threats. Pervasive and sustained cyber
attacks against the United States could have a potentially devastating
impact on federal and nonfederal systems and operations. In January
2012, the Director of National Intelligence testified that such threats pose
a critical national and economic security concern. 1 These growing and
evolving threats can potentially affect all segments of our society—
individuals; private businesses; local, state, and federal governments; and
other entities. Underscoring the importance of this issue, we have
designated federal information security as a high-risk area since 1997
and in 2003 expanded this area to include protecting computerized
systems supporting our nation’s critical infrastructure. 2

In my testimony today, I will describe (1) cyber threats facing the nation’s
systems, (2) vulnerabilities present in federal systems and systems
supporting critical infrastructure, 3 and (3) reported cyber incidents and
their impacts. In preparing this statement in April 2012, we relied on our
previous work in these areas. (Please see the related GAO products in
appendix I.) These products contain detailed overviews of the scope and
methodology we used. We also reviewed more recent agency, inspector



1
 James R. Clapper, Director of National Intelligence, Unclassified Statement for the
Record on the Worldwide Threat Assessment of the US Intelligence Community for the
Senate Select Committee on Intelligence (January 31, 2012).
2
 See, most recently, GAO, High-Risk Series: An Update, GAO-11-278 (Washington, D.C.:
February 2011).
3
 Critical infrastructures are systems and assets, whether physical or virtual, so vital to our
nation that their incapacity or destruction would have a debilitating impact on national
security, economic well-being, public health or safety, or any combination of these.




Page 1                                                            GAO-12-666T Cyber Threats
             general, and GAO assessments of security vulnerabilities at federal
             agencies and information on security incidents from the U.S. Computer
             Emergency Readiness Team (US-CERT), media reports, and other
             publicly available sources. The work on which this statement is based
             was conducted in accordance with generally accepted government
             auditing standards. Those standards require that we plan and perform
             audits to obtain sufficient, appropriate evidence to provide a reasonable
             basis for our findings and conclusions based on our audit objectives. We
             believe that the evidence obtained provided a reasonable basis for our
             findings and conclusions based on our audit objectives.


             As computer technology has advanced, both government and private
Background   entities have become increasingly dependent on computerized
             information systems to carry out operations and to process, maintain, and
             report essential information. Public and private organizations rely on
             computer systems to transmit sensitive and proprietary information,
             develop and maintain intellectual capital, conduct operations, process
             business transactions, transfer funds, and deliver services. In addition,
             the Internet has grown increasingly important to American business and
             consumers, serving as a medium for hundreds of billions of dollars of
             commerce each year, as well as developing into an extended information
             and communications infrastructure supporting vital services such as
             power distribution, health care, law enforcement, and national defense.

             Consequently, the security of these systems and networks is essential to
             protecting national and economic security, public health and safety, and
             the flow of commerce. Conversely, ineffective information security
             controls can result in significant risks, including

             •   loss or theft of resources, such as federal payments and collections;
             •   inappropriate access to and disclosure, modification, or destruction of
                 sensitive information, such as national security information, personal
                 taxpayer information, or proprietary business information;
             •   disruption of critical operations supporting critical infrastructure,
                 national defense, or emergency services;
             •   undermining of agency missions due to embarrassing incidents that
                 erode the public’s confidence in government; and
             •   use of computer resources for unauthorized purposes or to launch
                 attacks on other computers systems.




             Page 2                                               GAO-12-666T Cyber Threats
                                         Cyber-based threats are evolving and growing and arise from a wide
The Nation Faces an                      array of sources. These threats can be unintentional or intentional.
Evolving Array of                        Unintentional threats can be caused by software upgrades or defective
                                         equipment that inadvertently disrupt systems. Intentional threats include
Cyber-Based Threats                      both targeted and untargeted attacks from a variety of sources, including
                                         criminal groups, hackers, disgruntled employees, foreign nations engaged
                                         in espionage and information warfare, and terrorists. These threat
                                         sources vary in terms of the capabilities of the actors, their willingness to
                                         act, and their motives, which can include monetary gain or political
                                         advantage, among others. Table 1 shows common sources of cyber
                                         threats.

Table 1: Sources of Cybersecurity Threats

Threat source                  Description
Bot-network operators          Bot-net operators use a network, or bot-net, of compromised, remotely controlled systems to
                               coordinate attacks and to distribute phishing schemes, spam, and malware attacks. The services of
                               these networks are sometimes made available on underground markets (e.g., purchasing a denial-
                               of-service attack or services to relay spam or phishing attacks).
Criminal groups                Criminal groups seek to attack systems for monetary gain. Specifically, organized criminal groups
                               use spam, phishing, and spyware/malware to commit identity theft, online fraud, and computer
                               extortion. International corporate spies and criminal organizations also pose a threat to the United
                               States through their ability to conduct industrial espionage and large-scale monetary theft and to
                               hire or develop hacker talent.
Hackers                        Hackers break into networks for the thrill of the challenge, bragging rights in the hacker community,
                               revenge, stalking, monetary gain, and political activism, among other reasons. While gaining
                               unauthorized access once required a fair amount of skill or computer knowledge, hackers can now
                               download attack scripts and protocols from the Internet and launch them against victim sites. Thus,
                               while attack tools have become more sophisticated, they have also become easier to use.
                               According to the Central Intelligence Agency, the large majority of hackers do not have the requisite
                               expertise to threaten difficult targets such as critical U.S. networks. Nevertheless, the worldwide
                               population of hackers poses a relatively high threat of an isolated or brief disruption causing serious
                               damage.
Insiders                       The disgruntled organization insider is a principal source of computer crime. Insiders may not need
                               a great deal of knowledge about computer intrusions because their knowledge of a target system
                               often allows them to gain unrestricted access to cause damage to the system or to steal system
                               data. The insider threat includes contractors hired by the organization, as well as careless or poorly
                               trained employees who may inadvertently introduce malware into systems.
Nations                        Nations use cyber tools as part of their information-gathering and espionage activities. In addition,
                               several nations are aggressively working to develop information warfare doctrine, programs, and
                               capabilities. Such capabilities enable a single entity to have a significant and serious impact by
                               disrupting the supply, communications, and economic infrastructures that support military power—
                               impacts that could affect the daily lives of citizens across the country. In his January 2012
                               testimony, the Director of National Intelligence stated that, among state actors, China and Russia
                               are of particular concern.
Phishers                       Individuals or small groups execute phishing schemes in an attempt to steal identities or
                               information for monetary gain. Phishers may also use spam and spyware or malware to accomplish
                               their objectives.




                                         Page 3                                                           GAO-12-666T Cyber Threats
Threat source                      Description
Spammers                           Individuals or organizations distribute unsolicited e-mail with hidden or false information in order to
                                   sell products, conduct phishing schemes, distribute spyware or malware, or attack organizations
                                   (e.g., a denial of service).
Spyware or malware authors         Individuals or organizations with malicious intent carry out attacks against users by producing and
                                   distributing spyware and malware. Several destructive computer viruses and worms have harmed
                                   files and hard drives, including the Melissa Macro Virus, the Explore.Zip worm, the CIH (Chernobyl)
                                   Virus, Nimda, Code Red, Slammer, and Blaster.
Terrorists                         Terrorists seek to destroy, incapacitate, or exploit critical infrastructures in order to threaten national
                                   security, cause mass casualties, weaken the economy, and damage public morale and confidence.
                                   Terrorists may use phishing schemes or spyware/malware in order to generate funds or gather
                                   sensitive information.
                                             Source: GAO analysis based on data from the Director of National Intelligence, Department of Justice, Central Intelligence Agency, and
                                             the Software Engineering Institute’s CERT® Coordination Center.



                                             These sources of cyber threats make use of various techniques, or
                                             exploits, that may adversely affect computers, software, a network, an
                                             organization’s operation, an industry, or the Internet itself. Table 2
                                             provides descriptions of common types of cyber exploits.

Table 2: Types of Cyber Exploits

Type of exploit                             Description
Cross-site scripting                        An attack that uses third-party web resources to run script within the victim’s web browser
                                            or scriptable application. This occurs when a browser visits a malicious website or clicks a
                                            malicious link. The most dangerous consequences occur when this method is used to
                                            exploit additional vulnerabilities that may permit an attacker to steal cookies (data
                                            exchanged between a web server and a browser), log key strokes, capture screen shots,
                                            discover and collect network information, and remotely access and control the victim’s
                                            machine.
Denial-of-service                           An attack that prevents or impairs the authorized use of networks, systems, or
                                            applications by exhausting resources.
Distributed denial-of-service               A variant of the denial-of-service attack that uses numerous hosts to perform the attack.
Logic bombs                                 A piece of programming code intentionally inserted into a software system that will cause
                                            a malicious function to occur when one or more specified conditions are met.
Phishing                                    A digital form of social engineering that uses authentic-looking, but fake, e-mails to
                                            request information from users or direct them to a fake website that requests information.
Passive wiretapping                         The monitoring or recording of data, such as passwords transmitted in clear text, while
                                            they are being transmitted over a communications link. This is done without altering or
                                            affecting the data.
Structured Query Language (SQL)             An attack that involves the alteration of a database search in a web-based application,
injection                                   which can be used to obtain unauthorized access to sensitive information in a database.
Trojan horse                                A computer program that appears to have a useful function, but also has a hidden and
                                            potentially malicious function that evades security mechanisms by, for example,
                                            masquerading as a useful program that a user would likely execute.




                                             Page 4                                                                                       GAO-12-666T Cyber Threats
Type of exploit    Description
Virus              A computer program that can copy itself and infect a computer without the permission or
                   knowledge of the user. A virus might corrupt or delete data on a computer, use e-mail
                   programs to spread itself to other computers, or even erase everything on a hard disk.
                   Unlike a computer worm, a virus requires human involvement (usually unwitting) to
                   propagate.
War driving        The method of driving through cities and neighborhoods with a wireless-equipped
                   computer– sometimes with a powerful antenna–searching for unsecured wireless
                   networks.
Worm               A self-replicating, self-propagating, self-contained program that uses network mechanisms
                   to spread itself. Unlike computer viruses, worms do not require human involvement to
                   propagate.
Zero-day exploit   An exploit that takes advantage of a security vulnerability previously unknown to the
                   general public. In many cases, the exploit code is written by the same person who
                   discovered the vulnerability. By writing an exploit for the previously unknown vulnerability,
                   the attacker creates a potent threat since the compressed timeframe between public
                   discoveries of both makes it difficult to defend against.
                   Source: GAO analysis of data from the National Institute of Standards and Technology, United States Computer Emergency Readiness
                   Team, and industry reports.



                   The unique nature of cyber-based attacks can vastly enhance their reach
                   and impact. For example, cyber attackers do not need to be physically
                   close to their victims, technology allows attacks to easily cross state and
                   national borders, attacks can be carried out at high speed and directed at
                   a number of victims simultaneously, and cyber attackers can more easily
                   remain anonymous. Moreover, the use of these and other techniques is
                   becoming more sophisticated, with attackers using multiple or “blended”
                   approaches that combine two or more techniques. Using these
                   techniques, threat actors may target individuals, resulting in loss of
                   privacy or identity theft; businesses, resulting in the compromise of
                   proprietary information or intellectual capital; critical infrastructures,
                   resulting in their disruption or destruction; or government agencies,
                   resulting in the loss of sensitive information and damage to economic and
                   national security.




                   Page 5                                                                                   GAO-12-666T Cyber Threats
                      Significant weaknesses in information security controls continue to
Systems Supporting    threaten the confidentiality, integrity, and availability of critical information
Federal Operations    and information systems used to support the operations, assets, and
                      personnel of federal agencies. For example, in their performance and
and Critical          accountability reports and annual financial reports for fiscal year 2011, 18
Infrastructure Are    of 24 major federal agencies 4 indicated that inadequate information
Vulnerable to Cyber   security controls were either material weaknesses or significant
                      deficiencies 5 for financial reporting purposes. In addition, inspectors
Attacks               general at 22 of the major agencies identified information security or
                      information system control as a major management challenge for their
                      agency.

                      Agency, inspectors general, and GAO assessments of information
                      security controls during fiscal year 2011 revealed that most major federal
                      agencies had weaknesses in most of the five major categories of
                      information system controls: (1) access controls, which ensure that only
                      authorized individuals can read, alter, or delete data; (2) configuration
                      management controls, which provide assurance that only authorized
                      software programs are implemented; (3) segregation of duties, which
                      reduces the risk that one individual can independently perform
                      inappropriate actions without detection; (4) continuity of operations
                      planning, which helps avoid significant disruptions in computer-dependent
                      operations; and (5) agencywide information security programs, which
                      provide a framework for ensuring that risks are understood and that
                      effective controls are selected and implemented. Figure 1 shows the



                      4
                       The 24 major departments and agencies are the Departments of Agriculture, Commerce,
                      Defense, Education, Energy, Health and Human Services, Homeland Security, Housing
                      and Urban Development, the Interior, Justice, Labor, State, Transportation, the Treasury,
                      and Veterans Affairs; the Environmental Protection Agency, General Services
                      Administration, National Aeronautics and Space Administration, National Science
                      Foundation, Nuclear Regulatory Commission, Office of Personnel Management, Small
                      Business Administration, Social Security Administration, and U.S. Agency for International
                      Development.
                      5
                        A material weakness is a deficiency, or a combination of deficiencies, in internal control
                      such that there is a reasonable possibility that a material misstatement of the entity’s
                      financial statements will not be prevented, or detected and corrected on a timely basis. A
                      significant deficiency is a deficiency, or a combination of deficiencies, in internal control
                      that is less severe than a material weakness, yet important enough to merit attention by
                      those charged with governance. A control deficiency exists when the design or operation
                      of a control does not allow management or employees, in the normal course of performing
                      their assigned functions, to prevent, or detect and correct, misstatements on a timely
                      basis.




                      Page 6                                                           GAO-12-666T Cyber Threats
number of agencies that had vulnerabilities in these five information
security control categories.

Figure 1: Information Security Weaknesses at 24 Major Federal Agencies in Fiscal
Year 2011




Over the past several years, we and agency inspectors general have
made hundreds of recommendations to resolve similar previously
identified significant control deficiencies. We have also recommended
that agencies fully implement comprehensive, agencywide information
security programs, including by correcting weaknesses in specific areas
of their programs. The effective implementation of these
recommendations will strengthen the security posture at these agencies.

In addition, securing the control systems that monitor and control
sensitive processes and physical functions supporting many of our
nation’s critical infrastructures is a national priority, and we have identified
vulnerabilities in these systems. For example, in September 2007, we
reported that critical infrastructure control systems faced increasing risks
due to cyber threats, system vulnerabilities, and the serious potential




Page 7                                                   GAO-12-666T Cyber Threats
impact of possible attacks. 6 Specifically, we determined that critical
infrastructure owners faced both technical and organizational challenges
to securing control systems, such as limited processing capabilities and
developing compelling business cases for investing in control systems
security, among others. We further identified federal initiatives under way
to help secure these control systems, but noted that more needed to be
done to coordinate these efforts and address shortfalls. We made
recommendations to the Department of Homeland Security to develop a
strategy for coordinating control systems security efforts and enhance
information sharing with relevant stakeholders. Since this report, the
department formed the Industrial Control Systems Cyber Emergency
Response Team to provide industrial control system stakeholders with
situational awareness and analytical support to effectively manage risk. In
addition, it has taken several actions, such as developing a catalog of
recommended security practices for control systems, developing a
cybersecurity evaluation tool that allows asset owners to assess their
control systems and overall security posture, and collaborating with
others to promote control standards and system security. We have not
evaluated these activities to assess their effectiveness in improving the
security of control systems against cyber threats.

In May 2008, we reported that the Tennessee Valley Authority’s (TVA)
corporate network contained security weaknesses that could lead to the
disruption of control systems networks and devices connected to that
network. 7 We made 19 recommendations to improve the implementation
of information security program activities for the control systems
governing TVA’s critical infrastructures and 73 recommendations to
address weaknesses in information security controls. TVA concurred with
the recommendations and has taken steps to implement them.

In addition to those present in federal systems and systems supporting
critical infrastructure, vulnerabilities in mobile computing devices used by
individuals or organizations may provide openings to cyber threats. For
example, consumers and federal agencies are increasing their use of
mobile devices to communicate and access services over the Internet.



6
 GAO, Critical Infrastructure Protection: Multiple Efforts to Secure Control Systems Are
Under Way, but Challenges Remain, GAO-07-1036 (Washington, D.C.: Sept. 10, 2007).
7
 GAO, Information Security: TVA Needs to Address Weaknesses in Control Systems and
Networks, GAO-08-526 (Washington, D.C.: May 21, 2008).




Page 8                                                         GAO-12-666T Cyber Threats
                          The use of these devices offers many benefits including ease of sending
                          and checking messages and remotely accessing information online;
                          however, it can also introduce information security risks if not properly
                          protected. We have ongoing work to determine (1) what common security
                          threats and vulnerabilities affect generally available cellphones,
                          smartphones, and tablets; (2) what security features and practices have
                          been identified to mitigate the risks associated with these vulnerabilities;
                          and (3) the extent to which government and private entities are
                          addressing security vulnerabilities of mobile devices.


                          Federal agencies have reported increasing numbers of security incidents
Number of                 that placed sensitive information at risk, with potentially serious impacts
Cybersecurity             on federal operations, assets, and people. When incidents occur,
                          agencies are to notify the federal information security incident center—
Incidents Reported by     US-CERT. Over the past 6 years, the number of incidents reported by
Federal Agencies          federal agencies to US-CERT has increased from 5,503 incidents in fiscal
Continues to Rise,        year 2006 to 42,887 incidents in fiscal year 2011, an increase of nearly
                          680 percent (see fig. 2). 8
and Recent Incidents
Illustrate Serious Risk




                          8
                           According to US-CERT, the growth in the number of incidents is attributable, in part, to
                          agencies improving detection and reporting of security incidents on their respective
                          networks.




                          Page 9                                                          GAO-12-666T Cyber Threats
Figure 2: Incidents Reported to US-CERT: Fiscal Years 2006-
2011




Agencies reported the types of incidents and events based on US-CERT-
defined categories. As indicated in figure 3, the two most prevalent types
of incidents and events reported to US-CERT during fiscal year 2011
were unconfirmed incidents under investigation and malicious code.




Page 10                                                  GAO-12-666T Cyber Threats
Figure 3: Types of Incidents Reported to US-CERT in Fiscal Year 2011 by
Category




Reported attacks and unintentional incidents involving federal, private,
and critical infrastructure systems demonstrate that the impact of a
serious attack could be significant. These agencies and organizations
have experienced a wide range of incidents involving data loss or theft,
computer intrusions, and privacy breaches, underscoring the need for
improved security practices. The following examples from news media
and other public sources illustrate that a broad array of information and
assets remain at risk.

•   In April 2012, hackers breached a server at the Utah Department of
    Health to access thousands of Medicaid records. Included in the
    breach were Medicaid recipients and clients of the Children’s Health
    Insurance Plan. About 280,000 people had their Social Security
    numbers exposed. In addition, another 350,000 people listed in the
    eligibility inquiries may have had other sensitive data stolen, including
    names, birth dates, and addresses.
•   In March 2012, it was reported that a security breach at Global
    Payments, a firm that processed payments for Visa and Mastercard,
    could compromise the credit- and debit-card information of millions of
    Americans. Subsequent to the reported breach, the company’s stock



Page 11                                                  GAO-12-666T Cyber Threats
    fell more than 9 percent before trading in its stock was halted. Visa
    also removed the company from its list of approved processors.
•   In February 2012, the inspector general at the National Aeronautics
    and Space Administration testified that an unencrypted notebook
    computer had been stolen from the agency in March 2011. The theft
    resulted in the loss of the algorithms used to command and control
    the International Space Station.
•   In March 2012, a news wire service reported that the senior
    commander of the North Atlantic Treaty Organization (NATO) had
    been the target of repeated cyber attacks using the social networking
    website Facebook that were believed to have originated in China.
    According to the article, hackers repeatedly tried to dupe those close
    to the commander by setting up fake Facebook accounts in his name
    in the hope that his acquaintances would make contact and answer
    private messages, potentially divulging sensitive information about the
    commander or themselves.
•   In March 2012, it was reported that Blue Cross Blue Shield of
    Tennessee paid out a settlement of $1.5 million to the U.S.
    Department of Health and Human Services arising from potential
    violations stemming from the theft of 57 unencrypted computer hard
    drives that contained protected health information of over 1 million
    individuals.
•   In January 2012, the Department of Commerce discovered that the
    computer network of the department’s Economic Development
    Administration (EDA) was hit with a virus, forcing EDA to disable e-
    mail services and Internet access pending investigation into the cause
    and scope of the problem, which persisted for over 12 weeks.
•   In June 2011, a major bank reported that hackers had broken into its
    systems and gained access to the personal information of hundreds of
    thousands of customers. Through the bank’s online banking system,
    the attackers were able to view certain private customer information.
•   Citi reissued over 200,000 cards after a May 2011 website breach.
    About 360,000 of its approximately 23.5 million North American card
    accounts were affected, resulting in the potential for misuse of
    cardholder personal information.
•   In April 2011, Sony disclosed that it suffered a massive breach in its
    video game online network that led to the theft of personal
    information, including the names, addresses, and possibly credit card
    data belonging to 77 million user accounts.
•   In February 2011, media reports stated that computer hackers had
    broken into and stolen proprietary information worth millions of dollars
    from the networks of six U.S. and European energy companies.
•   In July 2010, a sophisticated computer attack, known as Stuxnet, was
    discovered. It targeted control systems used to operate industrial


Page 12                                              GAO-12-666T Cyber Threats
                      processes in the energy, nuclear, and other critical sectors, reportedly
                      causing physical damage. It is designed to exploit a combination of
                      vulnerabilities to gain access to its target and modify code to change
                      the process.
                  •   A retailer reported in May 2011 that it had suffered a breach of its
                      customers’ card data. The company discovered tampering with the
                      personal identification number (PIN) pads at its checkout lanes in
                      stores across 20 states.
                  •   In August 2006, two circulation pumps at Unit 3 of the Browns Ferry,
                      Alabama, nuclear power plant failed, forcing the unit to be shut down
                      manually. The failure of the pumps was traced to excessive traffic on
                      the control system network, possibly caused by the failure of another
                      control system device.
                  These incidents illustrate the serious impact that cyber threats can have
                  on federal agency operations, the operations of critical infrastructures,
                  and the security of sensitive personal and financial information.


                  In summary, the cyber-threats facing the nation are evolving and growing,
                  with a wide array of potential threat actors having access to increasingly
                  sophisticated techniques for exploiting system vulnerabilities. The danger
                  posed by these threats is heightened by the weaknesses that continue to
                  exist in federal information systems and systems supporting critical
                  infrastructures. Ensuring the security of these systems is critical to
                  avoiding potentially devastating impacts, including loss, disclosure, or
                  modification of personal or sensitive information; disruption or destruction
                  of critical infrastructure; and damage to our national and economic
                  security.

                  Chairman McCaul, Ranking Member Keating, and Members of the
                  Subcommittee, this concludes my statement. I would be happy to answer
                  any questions you have at this time.


                  If you have any questions regarding this statement, please contact
Contact and       Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. Other
Acknowledgments   key contributors to this statement include Michael Gilmore and Anjalique
                  Lawrence (Assistant Directors), Kristi C. Dorsey, and Lee A. McCracken.




                  Page 13                                              GAO-12-666T Cyber Threats
Appendix I: Related GAO Products
              Appendix I: Related GAO Products




              Management Report: Improvements Needed in SEC’s Internal Controls
              and Accounting Procedures. GAO-12-424R. Washington, D.C.: April 13,
              2012.

              IT Supply Chain: National Security-Related Agencies Need to Better
              Address Risks. GAO-12-361. Washington, D.C.: March 23, 2012.

              Information Security: IRS Needs to Further Enhance Internal Control over
              Financial Reporting and Taxpayer Data. GAO-12-393. Washington, D.C.:
              March 16, 2012.

              Cybersecurity: Challenges in Securing the Modernized Electricity Grid.
              GAO-12-507T. Washington, D.C.: February 28, 2012.

              Critical Infrastructure Protection: Cybersecurity Guidance Is Available, but
              More Can Be Done to Promote Its Use. GAO-12-92. Washington, D.C.:
              December 9, 2011.

              Cybersecurity Human Capital: Initiatives Need Better Planning and
              Coordination. GAO-12-8. Washington, D.C.: November 29, 2011.

              Information Security: Additional Guidance Needed to Address Cloud
              Computing Concerns. GAO-12-130T. Washington, D.C.: October 6, 2011.

              Information Security: Weaknesses Continue Amid New Federal Efforts to
              Implement Requirements. GAO-12-137. Washington, D.C.: October 3,
              2011.

              Personal ID Verification: Agencies Should Set a Higher Priority on Using
              the Capabilities of Standardized Identification Cards. GAO-11-751.
              Washington, D.C.: September 20, 2011.

              Information Security: FDIC Has Made Progress, but Further Actions Are
              Needed to Protect Financial Data. GAO-11-708. Washington, D.C.:
              August 12, 2011.

              Cybersecurity: Continued Attention Needed to Protect Our Nation’s
              Critical Infrastructure. GAO-11-865T. Washington, D.C.: July 26, 2011.

              Defense Department Cyber Efforts: DOD Faces Challenges in Its Cyber
              Activities. GAO-11-75. Washington, D.C.: July 25, 2011.




              Page 14                                              GAO-12-666T Cyber Threats
Appendix I: Related GAO Products




Information Security: State Has Taken Steps to Implement a Continuous
Monitoring Application, but Key Challenges Remain. GAO-11-149.
Washington, D.C.: July 8, 2011.

Social Media: Federal Agencies Need Policies and Procedures for
Managing and Protecting Information They Access and Disseminate.
GAO-11-605. Washington, D.C.: Jun 28, 2011.

Cybersecurity: Continued Attention Needed to Protect Our Nation’s
Critical Infrastructure and Federal Information Systems. GAO-11-463T.
Washington, D.C.: March 16, 2011.

High-Risk Series: An Update. GAO-11-278. Washington, D.C.: February
2011.

Electricity Grid Modernization: Progress Being Made on Cybersecurity
Guidelines, but Key Challenges Remain to be Addressed. GAO-11-117.
Washington, D.C.: January 12, 2011.

Information Security: Federal Agencies Have Taken Steps to Secure
Wireless Networks, but Further Actions Can Mitigate Risk. GAO-11-43.
Washington, D.C.: November 30, 2010.

Cyberspace Policy: Executive Branch Is Making Progress Implementing
2009 Policy Review Recommendations, but Sustained Leadership Is
Needed. GAO-11-24. Washington, D.C.: October 6, 2010.

Information Security: Progress Made on Harmonizing Policies and
Guidance for National Security and Non-National Security Systems.
GAO-10-916. Washington, D.C.: September 15, 2010.

Information Management: Challenges in Federal Agencies’ Use of Web
2.0 Technologies. GAO-10-872T. Washington, D.C.: July 22, 2010.

Critical Infrastructure Protection: Key Private and Public Cyber
Expectations Need to Be Consistently Addressed. GAO-10-628.
Washington, D.C.: July 15, 2010.

Cyberspace: United States Faces Challenges in Addressing Global
Cybersecurity and Governance. GAO-10-606. Washington, D.C.: July 2,
2010.




Page 15                                            GAO-12-666T Cyber Threats
           Appendix I: Related GAO Products




           Cybersecurity: Continued Attention Is Needed to Protect Federal
           Information Systems from Evolving Threats. GAO-10-834T. Washington,
           D.C.: June 16, 2010.

           Cybersecurity: Key Challenges Need to Be Addressed to Improve
           Research and Development. GAO-10-466. Washington, D.C.: June 3,
           2010.

           Information Security: Federal Guidance Needed to Address Control
           Issues with Implementing Cloud Computing. GAO-10-513. Washington,
           D.C.: May 27, 2010.

           Information Security: Agencies Need to Implement Federal Desktop Core
           Configuration Requirements. GAO-10-202. Washington, D.C.: March 12,
           2010.

           Information Security: Concerted Effort Needed to Consolidate and Secure
           Internet Connections at Federal Agencies. GAO-10-237. Washington,
           D.C.: March 12, 2010.

           Cybersecurity: Progress Made but Challenges Remain in Defining and
           Coordinating the Comprehensive National Initiative. GAO-10-338.
           Washington, D.C.: March 5, 2010.

           National Cybersecurity Strategy: Key Improvements Are Needed to
           Strengthen the Nation’s Posture. GAO-09-432T. Washington, D.C.:
           March 10, 2009.

           Information Security: TVA Needs to Address Weaknesses in Control
           Systems and Networks. GAO-08-526. Washington, D.C.: May 21, 2008.

           Critical Infrastructure Protection: Multiple Efforts to Secure Control
           Systems Are Under Way, but Challenges Remain. GAO-07-1036.
           Washington, D.C.: September 10, 2007.




(311087)
           Page 16                                               GAO-12-666T Cyber Threats
This is a work of the U.S. government and is not subject to copyright protection in the
United States. The published product may be reproduced and distributed in its entirety
without further permission from GAO. However, because this work may contain
copyrighted images or other material, permission from the copyright holder may be
necessary if you wish to reproduce this material separately.
GAO’s Mission         The Government Accountability Office, the audit, evaluation, and
                      investigative arm of Congress, exists to support Congress in meeting its
                      constitutional responsibilities and to help improve the performance and
                      accountability of the federal government for the American people. GAO
                      examines the use of public funds; evaluates federal programs and
                      policies; and provides analyses, recommendations, and other assistance
                      to help Congress make informed oversight, policy, and funding decisions.
                      GAO’s commitment to good government is reflected in its core values of
                      accountability, integrity, and reliability.

                      The fastest and easiest way to obtain copies of GAO documents at no
Obtaining Copies of   cost is through GAO’s website (www.gao.gov). Each weekday afternoon,
GAO Reports and       GAO posts on its website newly released reports, testimony, and
                      correspondence. To have GAO e-mail you a list of newly posted products,
Testimony             go to www.gao.gov and select “E-mail Updates.”

Order by Phone        The price of each GAO publication reflects GAO’s actual cost of
                      production and distribution and depends on the number of pages in the
                      publication and whether the publication is printed in color or black and
                      white. Pricing and ordering information is posted on GAO’s website,
                      http://www.gao.gov/ordering.htm.
                      Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
                      TDD (202) 512-2537.
                      Orders may be paid for using American Express, Discover Card,
                      MasterCard, Visa, check, or money order. Call for additional information.
                      Connect with GAO on Facebook, Flickr, Twitter, and YouTube.
Connect with GAO      Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts.
                      Visit GAO on the web at www.gao.gov.
                      Contact:
To Report Fraud,
Waste, and Abuse in   Website: www.gao.gov/fraudnet/fraudnet.htm
                      E-mail: fraudnet@gao.gov
Federal Programs      Automated answering system: (800) 424-5454 or (202) 512-7470

                      Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-
Congressional         4400, U.S. Government Accountability Office, 441 G Street NW, Room
Relations             7125, Washington, DC 20548

                      Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
Public Affairs        U.S. Government Accountability Office, 441 G Street NW, Room 7149
                      Washington, DC 20548




                        Please Print on Recycled Paper.