The gravest attacks — and most common — perpetrated against agency networks involved nation states, according to an audit that happened to be released amid accusations the Russian government allegedly hacked the Democratic National Committee.
The Government Accountability Office assessment comes one year after the Office of Personnel Management disclosed the biggest known breach of government-held personal information, also allegedly a foreign job.
OPM is one of four representative agencies scrutinized that still does not always use effective access controls, the February 2015-May 2016 audit found. The other departments studied were the Veterans Affairs, NASA and the Nuclear Regulatory Commission.
All 18 agencies that operate high-impact systems vital to society cited nation-state attacks as the most serious threat. All but three departments said they happened most often.
Most frequently, agencies are alerted to incidents involving spearphishing emails with malicious links or attachments, GAO says. And those attacks — emails tailored to deceive specific employees — were rated the most serious at 17 of the 18 agencies.
OPM and Auditors Dispute Findings of Security Testing
In response to a draft of the report, however, OPM argued the auditors did not supply the agency with enough details to cross-check the weaknesses categorized as “boundary protection” and “authorization” vulnerabilities.
The agency also contended GAO did not fully describe the nature of the security weaknesses until a week before a response to the draft was due May 2.
“However, we do not believe this is an accurate characterization of the situation,” Gregory C. Wilshusen, GAO director for…