Information security continues to make the list - for the 12th year. In the section titled: "Protecting the Federal Government’s Information Systems and the Nation’s Critical Infrastructures", the report makes note that the Department of Homeland Security (DHS) has made some progress but still falls short:
"Federal information security has been on GAO’s list of high-risk areas since 1997; in 2003, GAO expanded this high-risk area to include cyber CIP [Critical Infrastructure Protection]. The continued risks to information systems include escalating and emerging threats; the ease of obtaining and using hacking tools; the steady advance in the sophistication of attack technology; and the emergence of new and more destructive attacks."Specifically, the report refers to numerous detailed past GAO reports and summarizes several areas requiring attention:
"Since 2006, GAO has made numerous recommendations in the following key areas:HIGH-RISK SERIES: An Update
"Until these and other key cyber security areas are effectively addressed, the nation’s cyber critical infrastructure is at risk of increasing threats posed by terrorists, nation-states, and others."
- bolstering cyber analysis and warning capabilities.
- reducing organizational inefficiencies.
- completing actions identified during cyber exercises.
- developing sector-specific plans that fully address all cyber-related criteria.
- improving cyber security of infrastructure control systems.
- strengthening DHS’s ability to help recover from Internet disruptions.