The recent U.S. Government Accountability Office (GAO) report based on input from security personnel at 24 agencies warned that the federal government is not sufficiently addressing the threats brought by spam, phishing, and spyware. Many of the agencies were oblivious to the fact that phishing and pharming, for example, are major security risks.
Emerging cyberthreats such as spam, phishing, and spyware present substantial risks to the security of federal information systems. However, agencies have not fully addressed the risks of these threats as part of their FISMA-required agencywide information security programs. Although the federal government has efforts under way to help users and the privatesector community address spam, phishing, and spyware, similar efforts have not been made to assist federal agencies. Consequently, agencies remain unprepared to effectively detect, respond, and protect against the increasingly sophisticated and malicious threats that continue to place their systems and operations at risk.
I don't expect every federal government agency to be ahead of the private sector in dealing with cybersecurity, but combined with the GAO report concluding that the Department of Homeland Security will "have difficulty achieving significant results in strengthening the cybersecurity of our critical infrastructures" it's apparent that cybersecurity isn't a top priority. And, it won't be a top priority until after some castastrophic cyberattack occurs...
Moreover, although OMB and DHS share responsibility for coordinating the federal government’s response to cyberthreats, guidance has not been provided to agencies on when and how to escalate incidents of emerging threats to DHS’s US-CERT. As a result, incident reporting from agencies is inconsistent at best. Until incident reporting roles, responsibilities, processes, and procedures are clarified, the federal government will be at a clear disadvantage in effectively identifying, mitigating, and potentially prosecuting sophisticated and coordinated attacks that target multiple federal entities.