Senate investigation finds multiple federal agencies left sensitive data vulnerable to cyberattacks for past decade

[SwissMiss]

Senate investigation finds multiple federal agencies left sensitive data vulnerable to cyberattacks for past decade

Getty Images

 

Several federal agencies failed to update system vulnerabilities over the course of the last two administrations and left Americans' personal information open and vulnerable to theft, a report released Tuesday by the Senate Permanent Subcommittee on Investigations found.

 

The report, spearheaded by subcommittee Chairman Rob Portman (R-Ohio) and Ranking Member Tom Carper (D-Del.) and put together after a 10-month investigation, reviewed data compiled over the last decade by the Inspector General (IG) on federal information security standards for eight agencies.

 

These agencies were the Departments of State, Homeland Security (DHS), Health and Human Services (HHS), Transportation (DOT), Education, Agriculture (USDA), Housing and Urban Development (HUD), and the Social Security Administration (SSA). 

 

Of these agencies, the report found that seven had failed to provide adequate protection for personal information in their systems, and that six of the agencies had not installed system patches in a timely way to protect against cyber vulnerabilities. All eight agencies were found to use “legacy systems,” or those not supported by the original manufacturer anymore, resulting in further cyber vulnerabilities.

 

Specific agency findings included that DHS, DOT, USDA, and HHS failed to address some cybersecurity weaknesses identified by the IG over a decade ago, while the SSA was found to have severe cybersecurity vulnerabilities that risked the exposure of the personal information of over 60 million Americans who receive Social Security benefits.

 

Another major security flaw found by the investigation was that the Department of Education has been consistently unable to prevent unauthorized devices from connecting to its network since 2011. While the agency has limited this access to under 90 seconds, the IG reported that this was enough time for a malicious actor to launch an attack.

 

“Hackers with malicious intent can and do attack federal government cyber infrastructure consistently. In 2017 alone, federal agencies reported 35,277 cyber incidents,” Portman said in a statement. “Yet our federal agencies have failed at implementing basic cybersecurity practices, leaving classified, personal, and sensitive information unsafe and vulnerable to theft. The federal government can, and must, do a better job of shoring up our defenses against the rising cybersecurity threats.

 

Carper added in a statement that “we know that the threats posed by cyber-attacks continue to evolve and grow every day, so it is crucial that agencies across our government prioritize efforts to better protect their networks from hackers." 

 

A congressional source told The Hill that while the subcommittee, which falls under the Senate Homeland Security and Governmental Affairs Committee, does not plan to hold any hearings around the results of this investigation, Portman will consider recommendations in the report in considering any “legislative solutions.”

 

These recommendations centered around specific actions the Office of Management and Budget (OMB) should take to ensure these agencies reach a higher level of information security.

 

Steps include OMB ensuring the agency chief information officers have the authority to make agency-wide cybersecurity decisions, along with ensuring CIOs are regularly reporting on agency heads on information security programs. Further, the report recommended that all agencies should include progress reports on “cybersecurity audit remediation” in annual budget justifications to Congress.

 

The report was released during a week that the information security of federal agencies will be in the spotlight, with the House Oversight and Reform subcommittee on government operations set to hold a hearing later this week to examine the results of the biannual Federal IT Acquisition Reform Act (FITARA) scorecard.

 

This scorecard scores aspects of federal agencies’ information technology work, including cybersecurity, transparency and risk management, and the level of technological modernization.

 

The last FITARA scorecard, published in December, awarded the USDA, the Treasury Department, and the Department of Defense overall scores of a D on these issues, while agencies including the SSA and the Department of Energy received Bs, with no agency awarded an A. 

 

Source: Senate investigation finds multiple federal agencies left sensitive data vulnerable to cyberattacks for past decade  (The Hill)