The Government Accountability Office released Feb. 14 a report on the state of information security in the federal government. On page 21 is a pie chart that shows the types of security incidents agencies reported to the U.S. Computer Emergency Response Team in 2007.
GAO notes that "the three most prevalent types of incidents reported to US-CERT in fiscal year 2007 were unauthorized access, improper usage, and investigation." The first two accounted for 44 percent of the incidents.
But the investigation category is the most telling, and not fully discussed by GAO. GAO defines investigations as "unconfirmed incidents that are potentially malicious or anomalous activity deemed by the reporting entity to warrant further review." That's another way of saying, "We have no idea what it is."
Agencies can't immediately identify nearly one-third of the cyberattacks they experience -- that's one-third. They believe something is going on, but they just can't put their finger on it. That nearly matches what CIO Magazine and PriceCoopersWaterhouse found when conducting its 2007 security survey of public and private sector organizations. About 32 percent of respondents said they couldn't identify the type of cyberattack that hit them.
The other question GAO could have asked agencies is: Do you know how many cyberattacks your systems experienced? If federal IT managers were honest, GAO would find that 40 percent of agencies had no clue. Thatâ€™s the figure reported by the CIO/PWC survey.
The scary thing is that those are the cyberattacks that we know of. The real malicious attacks are the ones that occur under agencies' intrusion detection radar screens and are never detected.