The State Division and three different US businesses obtain a D for cybersecurity
So bad is cybersecurity at eight federal agencies that four of them received a D rating, three Cs, and only one a B in a report released Tuesday by a U.S. Senate committee.
“It is clear that the data entrusted to these eight key authorities are still at risk,” said the 47-page report. “As hackers, both government sponsored and otherwise, become more sophisticated and tenacious, Congress and the executive cannot continue to allow PII and national security secrets to remain vulnerable.”
The report, issued by the Senate Homeland Security and Government Affairs Committee, comes two years after a separate report found systemic failures by the same eight federal agencies to comply with federal cybersecurity standards. The earlier report found that in the period from 2008 to 2018, authorities failed to properly protect personal data, keep a list of all hardware and software used in government networks, and install the security patches provided by the provider in a timely manner.
The 2019 report also highlighted government agencies operating legacy systems that were costly to maintain and difficult to secure. All eight agencies – including the Social Security Administration and the Departments of Homeland Security, State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services, and Education – have failed to protect sensitive information that they have stored or maintained.
Tuesday’s report, entitled Federal Cybersecurity: America’s Data Still at Risk, analyzed the security practices of the same agencies for 2020. It found that only one agency had received a B grade for its cybersecurity practices last year.
“What this report finds out is stark,” the authors wrote. “Inspector General identified many of the same problems that have plagued federal agencies for more than a decade. Seven agencies have made minimal improvements, and only the DHS has managed to put in place an effective cybersecurity regime for 2020. Therefore, this report notes that these seven federal agencies are still not meeting the basic cybersecurity standards required to protect America’s sensitive data. “
The authors gave the following grades:
|Ministry of Transport||D.|
|Ministry of Education||D.|
|Social Security Administration||D.|
|Ministry of Agriculture||C.|
|Department of Health and Human Services||C.|
|Housing and Urban Development Department||C.|
|Department of Homeland Security||B.|
The State Department’s systems, the auditors found, often operated without the required permissions, ran unsupported software (including Microsoft Windows), and did not install security patches in a timely manner.
The department’s user management system was particularly criticized because officers were unable to provide documentation of the user access agreements for 60 percent of the sample employees who had access to the department’s secret network.
The examiners wrote:
This network contains data which, if passed on to an unauthorized person, could cause “serious damage” to national security. Perhaps even more disturbing, State failed to close thousands of accounts after prolonged inactivity on both its secret and sensitive, but unclassified, networks. According to the Inspector General, some accounts remained active for 152 days after employees were terminated, retired, or laid off. Former employees or hackers could use these unexpired credentials to gain access to sensitive and classified information of the state while impersonating an authorized user. The inspector general warned that without solving problems in this category, “the risk of unauthorized access is greatly increased”.
The social security administration, meanwhile, suffered from many of the same shortcomings, including lack of authorization for many systems, use of unsupported systems, failure to maintain an accurate and comprehensive inventory of IT assets, and failure to provide adequate protection for PII.
Details on the other departments can be found in the report linked earlier.
The report comes seven months after discovering a supply chain attack that compromised nine federal agencies and about 100 private companies. In April, hackers working on behalf of the Chinese government broke into several federal agencies by exploiting vulnerabilities in the Pulse Secure VPN.
For 2020 as a whole, the White House reported 30,819 information security incidents across the federal government, an 8 percent increase from the previous year.