Cybersecurity at eight federal agencies is so poor that four of them received a D, three a C and only one received a B in a report released Tuesday by a US Senate committee.
“Clearly, the data entrusted to these eight key agencies continues to be at risk,” the 47-page report said. “As hackers, both state-sponsored and otherwise, become more sophisticated and persistent, Congress and the executive branch cannot continue to allow PII and national security secrets to remain vulnerable.”
The report, issued by the Senate Committee on Homeland Security and Government Affairs, comes two years after a separate report found systemic deficiencies by the same eight federal agencies in adhering to federal cybersecurity standards. The earlier report found that during the decade from 2008 to 2018, the agencies failed to properly protect personally identifiable information, maintain a list of all hardware and software used on agencies’ networks and by the vendor. supplied security patches in a timely manner.
The 2019 report also highlighted that the agencies were using legacy systems that were expensive to maintain and difficult to secure. All eight agencies, including the Social Security Administration and the Departments of Homeland Security, State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services, and Education, have failed to protect the sensitive information they have stored or retained.
Tuesday’s report, titled Federal Cybersecurity: US Data Still at riskanalyzed security practices of the same agencies for 2020. It found that only one agency had achieved a B-score for its cybersecurity practices last year.
“What this report finds is grim,” the authors wrote. “Inspectors General identified many of the same issues that have plagued federal agencies for more than a decade. Seven agencies have made minimal improvements and only DHS has managed to maintain an effective cybersecurity regime for 2020. As such, this report finds that these seven federal agencies still fail to meet the core cybersecurity standards needed to protect America’s sensitive data.”
The authors assigned the following figures:
|Ministry of Foreign Affairs||d|
|Ministry of Transport||d|
|Department of Education||d|
|Social Security Administration||d|
|Department of Agriculture||C|
|Ministry of Health and Human Services||C|
|Ministry of Housing and Urban Development||C|
|Department of Homeland Security||B|
The State Department’s systems, the auditors found, often operated without the required authorizations, ran on software (including Microsoft Windows) that was no longer supported, and failed to install security patches in a timely manner.
The department’s user management system came under particular criticism because officials were unable to provide documentation of user access agreements for 60 percent of sample employees who had access to the department’s classified network.
The accountants wrote:
This network contains data that, if disclosed to an unauthorized person, could cause “serious damage” to national security. Perhaps more disturbingly, State failed to shut down thousands of accounts after extended periods of inactivity on both its classified and sensitive but unclassified networks. According to the inspector general, some accounts remained active for 152 days after employees resigned, retired or were fired. Former employees or hackers could use those unexpired credentials to access sensitive and classified information from the state, while impersonating an authorized user. The Inspector General warned that without solving problems in this category, “the risk of unauthorized access is greatly increased.”
The Social Security Administration, meanwhile, had many of the same shortcomings, including lack of authorization for many systems, use of unsupported systems, failure to compile an accurate and comprehensive inventory of IT assets, and failure to provide adequate protection for PII.
Details on the other departments are available in the previously linked report.
The report comes seven months after the discovery of a supply chain attack that led to the compromise of nine federal agencies and about 100 private companies. In April, hackers working on behalf of the Chinese government breached multiple federal agencies by exploiting vulnerabilities in the Pulse Secure VPN.
For all of 2020, the White House reported 30,819 information security incidents in the federal government, an 8 percent increase from the previous year.