A new report published by the US Senate yesterday reveals a decade-long string of failures on the part of eight government agencies, who failed to follow basic cyber-security protocols and exposed their networks and US citizens' most personal data to attackers.
The report was ordered by US Senators Rob Portman (R-OH) and Tom Carper (D-DE), the Chairman and Ranking Member of the US Senate Permanent Subcommittee on Investigations (PSI) on Homeland Security and Governmental Affairs.
The PSI investigators reviewed the past ten years of Inspectors General (IG) reports on compliance with federal information security standards.
The investigation took ten months and analyzed the cyber-security compliance of eight US government agencies: (1) the Department of State; (2) the Department of Transportation; (3) the Department of Housing and Urban Development; (4) the Department of Agriculture; (5) the Department of Health and Human Services; (6) the Department of Education; (7) the Social Security Administration; and (8) the Department of Homeland Security.
Investigators specifically analyzed the activities of the first seven agencies because they were cited in Office of Budget and Management (OBM) reports as having the lowest ratings with regard to cybersecurity practices.
The US govt's sad state of cyber-security practices
The investigation effectively compiled a slew of bad practices and gigantic failures in the activities of the eight of its agencies into one big report, putting in perspective the sad state of the US government's cyber-security posture.
For example, one of the biggest issues PSI investigators found was at the Department of Education, where administrators had failed to secure their network. A 2018 IG report revealed that anyone could access and maintain a connection to the DoE network for up to 90 seconds, an interval long enough to launch automated attacks against the DoE's servers.
But this was only one of the many findings. PSI investigators also found that five of the eight agencies had failed to maintain accurate and comprehensive IT asset inventories.
This is a big issue. For example, just last week, NASA admitted to getting hacked after an unauthorized Raspberry Pi device was connected to its IT network, which was later used as an entry point by hackers.
With the lack of an accurate IT asset inventory, system administrators can't deploy protections or make sure software updates are applied to all devices connected to a network, leaving gaps in an agency's protection.
And this is exactly what happened. According to the report, six of the eight surveyed agencies had failed to apply security patches and other vulnerability remediation actions.
Furthermore, the PSI report also found that seven of the eight federal agencies failed to provide adequate protection of personally-identifiable information (PII); such as using encryption to safeguard malware or malicious insiders from screenshoting or exfiltrating cleartext PII data.
Bureaucracy strikes again
But even if the agencies and their IT staff wanted to make changes and improve their cyber-security status, things wouldn't have gotten far, the report also found.
For example, all eight agencies used legacy systems or applications that were no longer supported by the vendors with security updates. This meant that even if employees wanted to apply patches, some patches were simply not available.
New systems were direly needed that would include protections against modern threats.
Further, several Chief Information Officers for the agencies reviewed by the Subcommittee did not have the authority to make organization-wide decisions concerning information security, meaning the agencies were stuck in a state of limbo where CIOs knew they were running insecure systems and exposing user data, but couldn't do anything about it.
Other worrying findings:
The Department of Homeland Security failed to address cybersecurity weaknesses for at least a decade. DHS operated systems lacking valid authorities to operate for seven consecutive fiscal years.
The State Department had reoccurring cybersecurity vulnerabilities, some of which were outstanding for over five years.
The Department of Transportation Inspector General identified cybersecurity weaknesses at the agency that were outstanding for at least 10 years.
The Department of Agriculture had reoccurring cybersecurity issues that have persisted for as long as 10 years.
The Department of Health and Human Services had longstanding cybersecurity weaknesses, including some identified nearly a decade ago.
The Department of Education had reoccurring cybersecurity weaknesses that impeded the Department's ability to achieve an effective information security program.
The Social Security Administration had persistent cybersecurity issues risking the exposure of the personal information of 60 million Americans who receive Social Security benefits
The full 99-page report from the US Senate Permanent Subcommittee on Investigations is available here.