A survey of the largest federal agencies by the Government Accountability Office revealed that most agencies are suffering from junk e-mail and other online detritus--but not one has a plan in place to deal with the threat and all have received limited guidance on what to do.
"Our analysis of the incident-response plans or procedures provided by the 20 agencies showed that none specifically addressed spyware or phishing," says the GAO report that was published Monday.
Making matters worse is that the Department of Homeland Security, which is responsible for securing federal computers, appears to have been idle. "As of March 31, 2005, DHS's National Cyber Security Division had produced minimal guidance to federal agencies on how they should protect themselves from spam, phishing, spyware, or other emerging threats," the report warns. "In fact, the one relevant publication that was targeted to federal agencies was issued over two years ago."
This is no mere theoretical concern. Employees at the FBI, IRS, State Department, and Homeland Security's Immigration and Customs Enforcement have already been hit by e-mail scams asking for credit card, bank account, or Social Security numbers. A successful spyware intrusion into a sensitive government computer could bring serious consequences, such as leaking personal information or jeopardizing a criminal investigation.
This week's report represents the latest in a series of embarrassing critiques of the federal government's ability to protect its computers.
Last month, auditors found that Homeland Securityto live up to its cybersecurity responsibilities and may be "unprepared" for emergencies. It has never developed a contingency plan to restore Internet functions in an emergency and has yet to create a vulnerability assessment of what could happen in a worst-case scenario.