Cybersecurity across eight federal agencies is so poor that four of them earned D ratings, three earned Cs, and only one received a B in a report released Tuesday by a U.S. Senate Committee.
“It is clear that the data entrusted to these eight key agencies remains at risk,” said the 47 page report set. “As hackers, both state sponsored and otherwise, become increasingly sophisticated and persistent, Congress and the executive branch cannot continue to allow PII and national security secrets to remain vulnerable.” .
The report, issued by the Senate Committee on Homeland Security and Government Affairs, comes two years after a separate report found systemic failures by the same eight federal agencies in meeting federal cybersecurity standards. The previous report found that during the decade from 2008 to 2018, agencies failed to adequately protect personally identifiable information, maintained a list of all hardware and software used on agency networks, and installed vendor-provided security patches in a manner timely.
The 2019 report also highlighted that agencies were operating legacy systems that were expensive to maintain and difficult to secure. The eight agencies, including the Social Security Administration and the Departments of Homeland Security, State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services, and Education, did not protect the confidential information they stored or maintained.
Tuesday’s report, titled Federal Cybersecurity: US Data Yet at risk, analyzed the security practices of the same agencies for 2020. It found that only one agency had earned a B grade for its cybersecurity practices in the past year.
“What this report finds is compelling,” the authors wrote. Inspectors General identified many of the same problems that have plagued federal agencies for more than a decade. Seven agencies made minimal improvements, and only DHS succeeded in employing an effective cybersecurity regime by 2020. As such, this report finds that these seven federal agencies have not yet met the basic cybersecurity standards necessary to protect sensitive United States data. “.
The authors assigned the following ratings:
|Department of State||D|
|Department of Transportation||D|
|Social Security Administration||D|
|Department of Health and Human Services||C|
|Department of Housing and Urban Development||C|
|Department of Homeland Security||B|
Auditors found that State Department systems frequently operated without required authorizations, ran software (including Microsoft Windows) that was no longer supported, and failed to install security patches in a timely manner.
The department’s user management system came under special criticism because officials were unable to provide documentation of user access agreements for the 60 percent of sampled employees who had access to the department’s classified network.
The auditors wrote:
This network contains data that, if disclosed to an unauthorized person, could cause “serious harm” to national security. Perhaps most worryingly, State failed to close thousands of accounts after long periods of inactivity on its classified and sensitive but unclassified networks. According to the Inspector General, some accounts remained active for up to 152 days after employees resigned, retired or were laid off. Former employees or hackers could use those current credentials to gain access to confidential and classified state information, while appearing to be an authorized user. The Inspector General cautioned that without solving the problems in this category, “the risk of unauthorized access increases significantly.”
Meanwhile, the Social Security Administration suffered from many of the same shortcomings, including lack of authorization for many systems, use of unsupported systems, failure to compile an accurate and complete IT asset inventory, and lack of protection. appropriate PII.
Details about the other departments are available in the report linked above.
The report comes seven months after the discovery of a supply chain attack that led to the compromise of nine federal agencies and about 100 private companies. In April, hackers working on behalf of the Chinese government breached several federal agencies by exploiting vulnerabilities in Pulse Secure VPN.
For all of 2020, the White House reported 30,819 information security incidents across the federal government, an 8 percent increase from the previous year.