US federal agencies are poorly prepared in withstanding spyware, spam or phishing attack, a government audit has concluded. A survey by the Government Accountability Office published this week reveals a lack of coherent security planning among as many as 20 federal agencies.

"Many agencies have not fully addressed the risks of emerging cybersecurity threats as part of their required agency-wide information security programs," the GAO's Emerging Cybersecurity Issues Threaten Federal Information Systems study (PDF summary [1]) states. It called on agencies to implement recommendations in the Federal Information Security Management Act of 2002.

The report also criticised the Department of Homeland Security for a lack of leadership on information security reporting issues. US government agencies are supposed to report information security threats to US CERT but this is a custom more honoured in the breach than by its observance, the study concludes.

The issues addressed in the report are far from theoretical. Staff at several agencies - including the FBI and the Internal Revenue Service - have been taken in by phishing attacks, the GAO's study notes. Gartner security guru John Pescatore told [2] Computerworld that private sector firms were little or no better than government organisations in defending against emerging security threats. "If there was a GAO that looked at private companies, you would find the same thing," he said. ®

Related stories

UK under cyber blitz [3]
US gov wants to refang Patriot Act [4]
Homeland Security blows $16m prepping for apocalypse [5]
DHS comes clean on CAPPS, lets self off hook [6]

Links

1. http://www.gao.gov/highlights/d05231high.pdf
2. http://www.computerworld.com/securitytopics/security/story/0,10801,102489,00.html?source=x10
3. http://www.theregister.co.uk/2005/06/16/uk_cyber-blitz/
4. http://www.theregister.co.uk/2005/06/01/patriot_act_appeal/
5. http://www.theregister.co.uk/2005/04/06/dhs_ready_for_apocalypse/
6. http://www.theregister.co.uk/2005/03/28/tsa_data_handling_snafus/