The United States is at no risk of being confused for a country with serious cybersecurity defenses.
Despite having spent years pouring billions of dollars into programs designed to protect federal agencies against sophisticated threats, the government on Tuesday received yet another abysmal cybersecurity report card, finding “essentially the same failures” present today as a decade past.
Seven out of eight U.S. agencies that were found to inadequately protect sensitive personal information two years ago remain as vulnerable as ever, according to the report, which concluded that only the Department of Homeland Security had managed to improve its security posture.
DHS had received its own failing grade in 2019, despite being the central agency charged with implementing security standards across the federal government.
The report, compiled by the Senate Homeland Security and Government Operations Committee, is based on audits conducted by the inspectors general of their respective agencies.
The assessments pertain only to the Departments of Homeland Security, State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services, Education, and Social Security Administration.
Many of the findings are alarming, to put it mildly.
With regard to the State Department’s classified network, for example, the agency failed to produce user access agreements 60 percent of the time. Such agreements are considered a requirement for access to classified networks and are signed by employees to acknowledge rules of behavior, such as the requirement to immediately report suspected misuse or compromise of systems. They may also include non-disclosure clauses and conflict-of-interest statements.
The department’s classified network “contains data which if disclosed to an unauthorized person could cause ‘grave damage’ to national security,” the report says.
Worse still, the department failed to deactivate “thousands” of inactive accounts. Former employees—including those who’ve been fired—could have used those accounts to gain access to state secrets. Network monitoring tools would not have been triggered by the access because the users were, in effect, still authorized.
When investigators recommended to State that accounts be automatically disabled after two months of inactivity, the department argued against it “citing a memorandum regarding another matter entirely,” the report says. The inspector general assessed in response that the agency’s IT staff must be confused.
“This was not the only example in which State seemed to misunderstand a recommendation by the Inspector General,” the report went on to say.
The Department of Transportation’s security posture appears to have significantly worsened in the last two years alone. The inspector general there found 250 agency systems with invalid authorizations, opening the agency up to “information loss, fraud, or abuse.” Two years ago, only 61 systems were reported in this state. The department has been cited for this same issue “for the last eleven fiscal years,” the report says.
Additionally, 87 percent of the department’s systems were found to lack basic tools for assessing system vulnerabilities. Critical vulnerabilities, when they were discovered, were not addressed fast enough across 37 separate systems.
The Department of Housing and Urban Development, or HUD, is said to maintain “at least a billion” records containing the personal information of U.S. citizens. It is also plagued by what’s known as “shadow IT”—devices and software connected to its network without the knowledge of IT staff. That lack of knowledge prevents proper controls from being enforced and leaves backdoors for hackers wide open.
Many “mission-essential” applications used by HUD “have not been modernized in decades,” the report says.
The networks of several sub-agencies within the Department of Health and Human Services, meanwhile, lacked proper tools to detect unauthorized software installed on devices. Two sub-agencies were found not to be using an application designed to detect and block cyberattacks, even though federal law has required it “for nearly five years.”
The most recent audit of the Department of Education’s systems found that several “lacked critical patches increasing their exposure to potential attack,” the result of an IT department that “consistently” failed to enforce rules designed to mitigate attacks.
The Social Security Administration, which houses “sensitive information about every individual who has been issued a Social Security number,” received the equivalent of a “D” grade. Security issues that have plagued the agency since at least 2014 remain a problem today.
The list goes on.
“What this report finds is stark,” the Senators wrote, adding it was “no surprise” that the government has repeatedly fallen victim to espionage by foreign hackers.
The Cybersecurity and Infrastructure Security Agency, which is responsible for improving cybersecurity across the government, requested nearly $700 million last year to “provide the technology foundation to secure and defend the Federal civilian Government’s IT infrastructure against advanced cyber threats.”
By the end of the year, investigators found that hackers had already compromised no fewer than nine federal agencies; an apparent act of espionage carried out by Russian intelligence, which would likely have gone unnoticed by the government for some time, had it not been uncovered by a private security firm first.
“The recent widespread cyber intrusion campaign targeted federal networks using advanced cyber capabilities that had the potential to undermine critical infrastructure, target our intellectual property, steal our national security secrets, and threaten our democratic institutions,” CISA’s former acting director, Brandon Wales, told a House committee in March.
“We must act now and decisively to truly defend today,” he said, “and to secure tomorrow.”