Government systems ripe with cyber vulnerabilities, report shows

"Simple stuff" not getting done, and poor password hygiene among top issues

Weak, missing, neglected and poorly managed passwords dot more than 48,000 cyber “incidents” involving government systems reported to the Department of Homeland Security, according to a government report released Tuesday.

Sen. Tom Coburn, R-Oklahoma, cyber-security, security, passwords, authentication
Sen. Tom Coburn, R-Okla., was lead on committee's cybersecurity report

The report details "dangerous vulnerabilities" that persist in the information systems within government operations, such as failure to patch or update software, poor password hygiene, out of date anti-virus software, poor physical and information security, uncorrected software vulnerabilities, unprotected servers and vulnerable web applications.

The report covers fiscal year 2012 and was prepared by the Minority Staff of the Homeland Security and Governmental Affairs Committee and supervised by Oklahoma Sen. Tom Coburn, the committee's ranking member. HSGA is the chief oversight committee of the U.S. Senate and has primary oversight responsibility for the Department of Homeland Security.

Agencies "aren't even doing the simple stuff," Coburn told the Washington Post.

To make matters even more dire, the report cited an estimate made by the Congressional Research Service that shows the federal government has spent since 2006 at least $65 billion on securing its computers and networks.

The report draws on more than 40 audits and other reviews by agency inspectors general,  including mandated annual Federal Information Security Management Act audits for nearly a dozen agencies, as well as open-source reporting on cybersecurity and federal agencies.

The report calls out problems cited in a list of agencies, including the Department of Homeland Security. In fact, just a month after the White House had picked DHS to supervise cybersecurity on all federal government networks the department found its hand-picked inspectors had hundreds of problems on their own systems.

The other agencies cited in the report were The Nuclear Regulatory Commission, The Securities and Exchange Commission, U.S. Army Corps of Engineers, the Federal Communications Commission, National Institute of Standards and Technology, Internal Revenue Service,  Department of Education, and the Department of Energy.

One of the most recurring problems was mistakes involving passwords used to protect users, data and systems. Password errors dotted the 17-page report.

FEMA was cited using default passwords on an Enterprise Data Warehouse that could access Personally Identifying Information. In another incident, passwords had been written down and left on desks, including 10 passwords in the office of the Chief Information Officer for U.S. Immigration and Customs Enforcement.

At the IRS, user names and passwords were not properly encrypted. The IRS also was cited for allowing the use of easily guessed passwords such as "password" and the agency's own name. In addition, the General Accounting Office cited the IRS for "allowing old, weak passwords in every one of its reports on IRS’ information security for the past six years." The report also said some IRS users had not changed their password in two years.

At the Department of Education, hundreds of user accounts had not had a password change in 90 days, and many had not been reset in a year, which violated the department's own policies.  In addition, fewer than half of the authentication tokens given to many employees, per regulations set by DHS and the Office of Management and Budget, had been activated by the recipients.

The Department of Energy was found to have a public facing server configured with the default user name and password, which could have allowed a hacker access to  an internal database supporting the electricity scheduling system at the Western Area Power Administration. In addition, 11 servers checked by the Office of Inspector General last year had no password protections or were configured with default/weak passwords, which could help an attacker gain access to the systems and use those systems to attack other systems on the DOE network.

The complete report is available on Sen. Coburn's web site.