A Senate report published Tuesday found that the “vast majority of federal agencies” have ineffective information security programs that risk the exposure of critical government data. According to the Senate Homeland Security and Governmental Affairs Committee’s survey, agencies’ inspectors general assessing the federal government’s cybersecurity gave the largest agencies an overall grade of C- on an A to F scale. The worst score of D went to several agencies, including the Commerce, Education, State, Transportation, and Veterans Affairs departments and NASA, the Office of Personnel Management, and the Social Security Administration.
Report authors Sens. Rob Portman, Ohio Republican, and Gary Peters, Michigan Democrat, wrote that no agency received an A for its cybersecurity program. “This report shows a sustained failure to address cybersecurity vulnerabilities at our federal agencies, a failure that leaves national security and sensitive personal information open to theft and damage by increasingly sophisticated hackers,” Mr. Portman said. “I am concerned that many of these vulnerabilities have been outstanding for a decade — the American people deserve better.” The poor grades reflect the federal government’s inability to protect personal information adequately and the failure to shield unauthorized users from sensitive systems and update their technology or maintain an inventory of their information technology.
The weaknesses of the federal government’s cybersecurity have received renewed scrutiny after the SolarWinds hack of computer network management software that compromised nine federal agencies and was detected last year. The Biden administration blamed the Russian Foreign Intelligence Service (SVR) for the SolarWinds hacking campaign. The Senate report clarifies that cyber espionage inside the government is accessible to far less sophisticated actors.
“For example, the State Department could not provide documentation of user access agreements for 60% of the sample employees tested with access to the department’s classified network. This network contains data which, if disclosed to an unauthorized person, could cause ‘grave damage to national security,'” read the report. “Perhaps more troubling, [the State Department] failed to shut off thousands of accounts after extended periods of inactivity on both its classified and sensitive but unclassified networks.”
According to the report, some employees who were fired, quit, or retired still had access to their government accounts five months after they left the State Department. Agencies that scored relatively higher marks also have experienced cybersecurity challenges. For example, the U.S. Agency for International Development (USAID) received a B in the Senate report. In May 2021, Microsoft observed hackers breaching USAID systems to target 3,000 email accounts at more than 150 organizations. Microsoft said the cyber attackers responsible for the SolarWinds hack were also behind the campaign targeting USAID’s Constant Contact account. Constant Contact is a company that makes email marketing software.
The complete picture of sensitive government information exposed to hackers is unclear. On Friday, the Justice Department disclosed that the SolarWinds hack compromised email accounts across 27 U.S. Attorneys’ offices, including Washington and New York. A White House spokesperson said federal agencies had failed to address their information security weaknesses for decades and maintained that the Biden administration is now taking action to address the problem. The spokesperson pointed to the Biden administration included money for cybersecurity modernization efforts in the coronavirus relief package enacted this year, including $1 billion for a tech modernization fund and $650 million for the Cybersecurity and Infrastructure Security Agency.
The spokesperson also said the administration is implementing President Biden’s executive order from May on cybersecurity, designed to improve guidelines for government vendors and to develop a framework for federal civilian agencies to use cloud services, among other things. Mr. Portman said he would offer new legislation to protect Americans’ data better data, and Mr. Peters, who chairs the Homeland Security panel, said he would work with the Ohio Republican to ensure that federal agencies change their cybersecurity practices.
Pingback: How to Protect Your Mobile Devices from Viruses - My Pro Blog