The Government Accountability Office, in a 79-page report, says federal agencies should do more to limit potential damage from these threats. Phishers have targeted federal entities such as the FBI, the Federal Deposit Insurance Corp., the Internal Revenue Service, and Regulations.com. Eleven of 24 agencies surveyed by GAO said spyware caused a loss of employee productivity or required increased use of help-desk support. Six of 24 agencies told GAO that phishing attacks resulted in increased help-desk support and instances of compromised credit-card accounts.
Federal agencies' perceptions of the risks of these kinds of attacks vary, Gregory Wilshusen, GAO's director of information security issues, says in the report. In fact, he says, most agencies weren't applying the information security program requirements of the Federal Information Security Management Act of 2002 to these emerging threats, including performing risk assessments and implementing effective mitigating controls.
Federal law requires agencies to report emerging cybersecurity threats to a central federal authority, but most fail to do so consistently. But, GAO says, governmentwide guidance hasn't been issued to clarify to agencies which incidents they should be reporting, as well as how and to whom they should report. "Without effective coordination, the federal government is limited in its ability to identify and respond to emerging cybersecurity threats," Wilshusen says, "including sophisticated and coordinated attacks that target multiple federal entities."