Federal agencies are “failing to implement basic cybersecurity standards” needed to protect Americans’ personal data and keep the nation’s secrets safe from hackers, a Senate investigation has concluded. The report, which drew on 10 years’ worth of inspector general reports at eight agencies, paints a picture of persistent neglect of standard network defense measures.
It comes more than four years after the breach of the Office of Personnel Management, in which alleged Chinese hackers stole sensitive personal data on 22 million current and former federal employees. Lessons from that sweeping compromise of American security clearances still haven’t been heeded, according to the report from the Senate Committee on Homeland Security and Government Affairs’ Permanent Subcommittee on Investigations.
“Despite major data breaches like OPM, the federal government remains unprepared to confront the dynamic cyberthreats of today,” laments the report, which covered the departments of Agriculture, Education, Health and Human Services, Homeland Security, Housing and Urban Development, State and Transportation, as well as the Social Security Administration. In addition to DHS, the Senate subcommittee chose to review the seven agencies that the Office of Management rated the poorest on cybersecurity.
“The federal government can, and must, do a better job of shoring up our defenses against the rising cybersecurity threats,” said Sen. Rob Portman, R-Ohio, who chairs the subcommittee.
Several agencies aren’t properly guarding personally identifiable information (PII) they collect on Americans, the subcommittee report found. Seven of the eight agencies failed to secure PII in their most recent IG audits, the subcommittee said. It has been an acute struggle at HUD, where nine of the last 11 inspector general audits raised concerns over PII protection.
Another persistent challenge for the agencies has been applying software patches for security flaws, according to the report.
In April, DHS ordered federal civilian agencies to halve the time it takes to apply patches, citing evidence that hackers are getting quicker at exploiting vulnerabilities. That directive is sorely needed, the Senate investigation shows. Over the last decade, all eight agencies in the report failed to patch in a timely manner.
The agencies covered by the Senate report are hardly the only federal entities that have received bad cybersecurity news via inspector general reports. In recent months the Commerce Department’s Census Bureau and Patent and Trademark Office received critical audits, as well as the independent Small Business Administration and the Treasury Department’s Internal Revenue Service.
The report makes several recommendations to help agencies boost their defenses, including that they consolidate their security operations centers, which monitor cyberthreats.
“With this visibility, agencies could better detect cybersecurity incidents and exfiltration attempts,” the report states.
Despite being allocated over $3 billion annually in combined cybersecurity budgets, the eight agencies are still coming up short of protecting their core assets. To fix that, the Senate investigators want the Office of Management and Budget to require agencies to use a “risk-based budgeting model” that pairs IT spending with metrics.
“Agencies currently use their limited IT funds on capabilities for perceived security weaknesses instead of using those funds on the security risks most likely to be exploited by hostile actors,” the report concludes.