US federal agencies are poorly prepared in withstanding spyware, spam or phishing attack, a government audit has concluded. A survey by the Government Accountability Office published this week reveals a lack of coherent security planning among as many as 20 federal agencies.

"Many agencies have not fully addressed the risks of emerging cybersecurity threats as part of their required agency-wide information security programs," the GAO's Emerging Cybersecurity Issues Threaten Federal Information Systems study (PDF summary (http://www.gao.gov/highlights/d05231high.pdf)) states. It called on agencies to implement recommendations in the Federal Information Security Management Act of 2002.

The report also criticised the Department of Homeland Security for a lack of leadership on information security reporting issues. US government agencies are supposed to report information security threats to US CERT but this is a custom more honoured in the breach than by its observance, the study concludes.

The issues addressed in the report are far from theoretical. Staff at several agencies - including the FBI and the Internal Revenue Service - have been taken in by phishing attacks, the GAO's study notes. Gartner security guru John Pescatore told (http://www.computerworld.com/securitytopics/security/story/0,10801,102489,00.html?source=x10) Computerworld that private sector firms were little or no better than government organisations in defending against emerging security threats. "If there was a GAO that looked at private companies, you would find the same thing," he said. ®

Related stories

UK under cyber blitz (http://www.theregister.co.uk/2005/06/16/uk_cyber-blitz/)
US gov wants to refang Patriot Act (http://www.theregister.co.uk/2005/06/01/patriot_act_appeal/)
Homeland Security blows $16m prepping for apocalypse (http://www.theregister.co.uk/2005/04/06/dhs_ready_for_apocalypse/)
DHS comes clean on CAPPS, lets self off hook (http://www.theregister.co.uk/2005/03/28/tsa_data_handling_snafus/)