WASHINGTON, D.C. – Computer systems at seven federal agencies don’t comply with basic cybersecurity standards needed to protect sensitive data and still exhibit flaws they’ve had for years, even though the federal agencies have been repeatedly told what they should do to improve, according to a new study released by U.S. Senators Rob Portman of Ohio and Gary Peters of Michigan.
The flaws described in the new report from the Senate Homeland Security and Governmental Affairs Committee include failures to adequately protect personally identifiable information, to quickly install security patches, to maintain accurate and comprehensive IT asset inventories, to maintain current authorizations for information systems, and to retire legacy technology no longer supported by the vendor.
It said that in 2020, the White House reported 30,819 information security incidents across the federal government, an 8 percent increase from the previous year.
Citing incidents including Russia’s SolarWinds hack of government agencies and big companies, as well as ransomware attacks against critical infrastructure, Portman said ” it’s clear that cyberattacks are going to keep coming, and it is unacceptable that our own federal agencies are not doing everything possible to safeguard America’s data.
“This report shows a sustained failure to address cybersecurity vulnerabilities at our federal agencies, a failure that leaves national security and sensitive personal information open to theft and damage by increasingly sophisticated hackers,” said a statement from Portman, an Ohio Republican who said he plans to introduce legislation to address the longstanding problem.
Peters, a Michigan Democrat, said the report identified an urgent need to further strengthen cybersecurity defenses across the federal government.
“Shortcomings in federal cybersecurity allow cybercriminals to access Americans’ personal information, which not only compromises our national security — but risks the livelihoods of people in Michigan and across the country,” said Peters.
The report examined a sampling of federal agencies. Seven of the eight it examined had serious problems: the Department of State; the Department of Transportation; the Department of Housing and Urban Development; the Department of Agriculture; the Department of Health and Human Services; the Department of Education; and the Social Security Administration.
It said the State Department couldn’t provide security documentation for many of its employees with access to its classified network and left thousands of accounts active after employees left the agency for extended periods. Officials at the Transportation Department couldn’t account for almost 15,000 of the agency’s information technology assets, including mobile devices, servers and work stations. In a test of the Education Department’s security, the agency’s inspector general was able to breach thousands of sensitive files including 200 credit card numbers without the agency detecting it or blocking it.
It also included a cybersecurity report card for every federal cabinet department. The average grade was a C-.
Since a 2019 report from Portman’s committee that examined cybersecurity procedures at the same eight agencies, only the Department of Homeland Security (DHS) established an effective information security program, the report said, although it stated the National Cybersecurity Protection System (NCPS) that DHS has set up for federal agencies “suffers from significant limitations in detecting and preventing intrusions.”
The report recommends that DHS give Congress a plan to update that national cybersecurity protection system and to justify its cost, and that federal agencies establish a government-wide, centrally coordinated approach to cybersecurity.
Committee staffers said that because there’s no single, government-wide place that sets cybersecurity standards, the systems at each agency are “balkanized,” with each agency’s chief information office setting their own policies. The report suggested that Congress update the Federal Information Security Modernization Act of 2014 to reflect current cybersecurity best practices and formally establish a lead agency for federal cybersecurity.
“Securing federal networks has never been more important,” the report says. “Federal agencies maintain the personal data of millions of Americans who have no say in how that information is maintained and protected.”