Federal agencies vulnerable to cyber attacks and doing nothing about it, report says

Federal government agencies are wildly vulnerable to cyber-attacks, with the number of cyber incidents reported by federal agencies increasing more than 1,300 percent between 2006 and 2015.

But the agencies being attacked are doing very little to protect themselves, according to the results of a 10-month Senate investigation of eight federal agencies.

The Senate Permanent Subcommittee on Investigations — which is chaired by Sen. Rob Portman, R-Ohio — found that the Departments of Homeland Security — the very agency tasked with fighting cyber-attacks - and seven other agencies have failed to address the vulnerabilities in their IT infrastructure, leaving themselves susceptible to cyber-attack and Americans’ personal information vulnerable to theft.

The problems range from systems so antiquated that they can’t be updated with new security patches to agencies that year after year fail to protect the personal information of millions of Americans.

The subcommittee studied 10 years’ worth of government agency audits of the IT systems of Homeland Security, State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services, Education and Social Security Administration.

Their investigation comes after a surge in data breaches in the federal government with agencies including the U.S. Postal Service, the Internal Revenue Service and the White House reporting attacks.

In 2015, for example, a hacker broke into government databases to gain access to 22 million security clearance files from the Office of Personnel Management.

In 2017 alone, meanwhile, federal agencies reported 35,277 cyber incidents.

Federal agencies often have access to sensitive information because of the very nature of what they do.

The Department of Education collects financial data on students and parents applying for college loans.

Disabled Americans must provide years of health records documenting medical records to prove that they are entitled to disability benefits from the Social Security Administration.

And homeowners must provide payroll and savings information to the Department of Housing and Urban Development to qualify for home loans.

Congress tasked agencies with securing their IT networks as far back as 2002, and asked each agency’s Inspector General to annually audit compliance with basic cybersecurity standards.

But the subcommittee found that most of the agencies studied were failing to comply with even the most basic standards, including properly protecting personally identifiable information.

Five agencies did not maintain a comprehensive and accurate list of information technology assets, meaning they had no idea which applications were operating on its networks.

All eight agencies failed to install security patches and other updates to prevent their systems from being vulnerable to attack.

In the most recent audits, seven of the eight agencies failed to provide for the adequate protection of personally-identifiable information.

And all of the agencies used legacy systems that were so old that vendors no longer support or issue updates to patch cybersecurity vulnerabilities.

Homeland Security, for example, uses Windows 2003 on some of its systems.

The system used by Housing and Urban Development to initiate and track loan case numbers and associated data, meanwhile, is so old that lenders are unable to submit loan applications electronically and must instead send hard copies through the mail.

And Social Security’s system to hold retirement and disability information on millions of Americans in some cases uses a programming language developed in the 1950s and 1960s – a language that will become increasingly obsolete as the IT professionals who know the coding language retire.

Some of the agencies are particularly susceptible to attack. The Department of Education, for example, has been unable to prevent unauthorized outside devices from easily connecting to the agency’s network since 2011.

In its 2018 audit, Education’s inspector general found that the department had been able to restrict unauthorized access to 90 seconds — still enough time for a hacker to “launch an attack or gain intermittent access to internal network resources that could lead to” exposing the agency’s data.

Education holds personally identifiable information on millions of Americans.

Portman said federal agencies “have failed at implementing basic cybersecurity practices, leaving classified, personal, and sensitive information unsafe and vulnerable to theft.”

“The federal government can, and must, do a better job of shoring up our defenses against the rising cybersecurity threats,” he said.

The report makes a list of recommendations aimed at security government IT systems. Among them: that federal agencies consolidate security processes and capabilities in order to better detect cybersecurity incidents and that each agency gives broader authority and latitude toward their chief information officer the authority to make organization-wide decisions regarding cybersecurity.

Sen. Tom Carper, D-Delaware, the ranking member of the subcommittee, said the

Office of Management and Budget — the agency responsible for cybersecurity efforts across government — “must provide the necessary leadership to ensure that agencies are staying vigilant and prioritizing good cybersecurity practices.”

“We know that the threats posed by cyber-attacks continue to evolve and grow every day, so it is crucial that agencies across our government prioritize efforts to better protect their networks from hackers,” he said.

About the Author