Their investigation comes after a surge in data breaches in the federal government with agencies including the U.S. Postal Service, the Internal Revenue Service and the White House reporting attacks.
In 2015, for example, a hacker broke into government databases to gain access to 22 million security clearance files from the Office of Personnel Management.
In 2017 alone, meanwhile, federal agencies reported 35,277 cyber incidents.
Federal agencies often have access to sensitive information because of the very nature of what they do.
The Department of Education collects financial data on students and parents applying for college loans.
Disabled Americans must provide years of health records documenting medical records to prove that they are entitled to disability benefits from the Social Security Administration.
And homeowners must provide payroll and savings information to the Department of Housing and Urban Development to qualify for home loans.
Congress tasked agencies with securing their IT networks as far back as 2002, and asked each agency’s Inspector General to annually audit compliance with basic cybersecurity standards.
But the subcommittee found that most of the agencies studied were failing to comply with even the most basic standards, including properly protecting personally identifiable information.
Five agencies did not maintain a comprehensive and accurate list of information technology assets, meaning they had no idea which applications were operating on its networks.
All eight agencies failed to install security patches and other updates to prevent their systems from being vulnerable to attack.
In the most recent audits, seven of the eight agencies failed to provide for the adequate protection of personally-identifiable information.
And all of the agencies used legacy systems that were so old that vendors no longer support or issue updates to patch cybersecurity vulnerabilities.
Homeland Security, for example, uses Windows 2003 on some of its systems.
The system used by Housing and Urban Development to initiate and track loan case numbers and associated data, meanwhile, is so old that lenders are unable to submit loan applications electronically and must instead send hard copies through the mail.
And Social Security’s system to hold retirement and disability information on millions of Americans in some cases uses a programming language developed in the 1950s and 1960s – a language that will become increasingly obsolete as the IT professionals who know the coding language retire.
Some of the agencies are particularly susceptible to attack. The Department of Education, for example, has been unable to prevent unauthorized outside devices from easily connecting to the agency’s network since 2011.
In its 2018 audit, Education’s inspector general found that the department had been able to restrict unauthorized access to 90 seconds — still enough time for a hacker to “launch an attack or gain intermittent access to internal network resources that could lead to” exposing the agency’s data.
Education holds personally identifiable information on millions of Americans.
Portman said federal agencies “have failed at implementing basic cybersecurity practices, leaving classified, personal, and sensitive information unsafe and vulnerable to theft.”
“The federal government can, and must, do a better job of shoring up our defenses against the rising cybersecurity threats,” he said.
The report makes a list of recommendations aimed at security government IT systems. Among them: that federal agencies consolidate security processes and capabilities in order to better detect cybersecurity incidents and that each agency gives broader authority and latitude toward their chief information officer the authority to make organization-wide decisions regarding cybersecurity.
Sen. Tom Carper, D-Delaware, the ranking member of the subcommittee, said the
Office of Management and Budget — the agency responsible for cybersecurity efforts across government — “must provide the necessary leadership to ensure that agencies are staying vigilant and prioritizing good cybersecurity practices.”
“We know that the threats posed by cyber-attacks continue to evolve and grow every day, so it is crucial that agencies across our government prioritize efforts to better protect their networks from hackers,” he said.