Cybersecurity at eight federal agencies is so poor that four of them earned grades of D, three got Cs, and only one received a B in a report issued Tuesday by a US Senate Committee.
“It is clear that the data entrusted to these eight key agencies remains at risk,” the 47-page report stated. “As hackers, both state-sponsored and otherwise, become increasingly sophisticated and persistent, Congress and the executive branch cannot continue to allow PII and national security secrets to remain vulnerable.”
The report, issued by the Senate Committee on Homeland Security and Governmental Affairs, comes two years after a separate report found systemic failures by the same eight federal agencies in complying with federal cybersecurity standards. The earlier report found that during the decade spanning 2008 to 2018, the agencies failed to properly protect personally identifiable information, maintain a list of all hardware and software used on agency networks, and install vendor-supplied security patches in a timely manner.
The 2019 report also highlighted that the agencies were operating legacy systems that were costly to maintain and hard to secure. All eight agencies—including the Social Security Administration and the Departments of Homeland Security, State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services, and Education—failed to protect sensitive information they stored or maintained.
Tuesday’s report, titled Federal Cybersecurity: America’s Data Still at Risk, analyzed security practices by the same agencies for 2020. It found that only one agency had earned a grade of B for its cybersecurity practices last year.
“What this report finds is stark,” the authors wrote. “Inspectors general identified many of the same issues that have plagued Federal agencies for more than a decade. Seven agencies made minimal improvements, and only DHS managed to employ an effective cybersecurity regime for 2020. As such, this report finds that these seven Federal agencies still have not met the basic cybersecurity standards necessary to protect America’s sensitive data.”
The authors assigned the following grades:
|Department of State||D|
|Department of Transportation||D|
|Department of Education||D|
|Social Security Administration||D|
|Department of Agriculture||C|
|Department of Health and Human Services||C|
|Department of Housing and Urban Development||C|
|Department of Homeland Security||B|
State Department systems, the auditors found, frequently operated without the required authorizations, ran software (including Microsoft Windows) that was no longer supported, and failed to install security patches in a timely manner.
The department’s user management system came under particular criticism because officials couldn’t provide documentation of user access agreements for 60 percent of sample employees that had access to the department’s classified network.
The auditors wrote:
This network contains data which if disclosed to an unauthorized person could cause “grave damage” to national security. Perhaps more troubling, State failed to shut off thousands of accounts after extended periods of inactivity on both its classified and sensitive but unclassified networks. According to the Inspector General, some accounts remained active as long as 152 days after employees quit, retired, or were fired. Former employees or hackers could use those unexpired credentials to gain access to State’s sensitive and classified information, while appearing to be an authorized user. The Inspector General warned that without resolving issues in this category, “the risk of unauthorized access is significantly increased.”
The Social Security Administration, meanwhile, suffered many of the same shortcomings, including a lack of authorization for many systems, use of unsupported systems, failure to Compile an Accurate and Comprehensive IT Asset Inventory, and Failure to Provide for the Adequate Protection of PII.
Details about the other departments are available in the report linked earlier.
The report comes seven months after the discovery of a supply chain attack that led to the compromise of nine federal agencies and about 100 private companies. In April, hackers working on behalf of the Chinese government breached multiple federal agencies by exploiting vulnerabilities in the Pulse Secure VPN.
For all of 2020, the White House reported 30,819 information security incidents across the federal government, an 8 percent increase from the prior year.