Two years after the publication of a damning cybersecurity report auditors have found little improvement.
Cybersecurity at eight federal agencies is so poor that four of them earned grades of D, three got Cs, and only one received a B in a report issued Tuesday by a US Senate Committee.
“It is clear that the data entrusted to these eight key agencies remains at risk,” the 47-page report stated. “As hackers, both state-sponsored and otherwise, become increasingly sophisticated and persistent, Congress and the executive branch cannot continue to allow PII and national security secrets to remain vulnerable.”
The report, issued by the Senate Committee on Homeland Security and Governmental Affairs, comes two years after a separate report found systemic failures by the same eight federal agencies in complying with federal cybersecurity standards. The earlier report found that during the decade spanning 2008 to 2018, the agencies failed to properly protect personally identifiable information, maintain a list of all hardware and software used on agency networks, and install vendor-supplied security patches in a timely manner.
The 2019 report also highlighted that the agencies were operating legacy systems that were costly to maintain and hard to secure. The report also highlighted that eight agencies, including the Social Security Administration and Departments of Homeland Security, State, Transportation, Housing and Urban Development, failed to secure sensitive information they held or maintained.
Tuesday’s report, titled Federal Cybersecurity: America’s Data Still at Risk, analyzed security practices by the same agencies for 2020. It was found that only one agency received a grade B for cybersecurity practices in the last year.
“What this report finds is stark,” the authors wrote. “Inspectors identified many of the same problems that plague Federal agencies for over a decade. Seven agencies made minimal improvements, and only DHS managed to employ an effective cybersecurity regime for 2020. This report shows that seven Federal agencies have failed to meet the cybersecurity standards required to protect America’s sensitive information .”
The authors assigned the following grades:
|Department of State||D|
|Department of Transportation||D|
|Department of Education||D|
|Social Security Administration||D|
|Department of Agriculture||C|
|Department of Health and Human Services||C|
|Department of Housing and Urban Development||C|
|Department of Homeland Security||B|
State Department systems, the auditors found, frequently operated without the required authorizations, ran software (including Microsoft Windows) that was no longer supported, and failed to install security patches in a timely manner.
The department’s user management system came under particular criticism because officials couldn’t provide documentation of user access agreements for 60 percent of sample employees that had access to the department’s classified network.
The auditors wrote:
This network contains data which if disclosed to an unauthorized person could cause “grave damage” to national security. Even more concerning is the failure of State to close thousands of accounts that remained inactive for extended periods on its classified and sensitive networks. According to the Inspector General, some accounts remained active as long as 152 days after employees quit, retired, or were fired. These credentials could be used by hackers or former employees to gain access State’s classified and sensitive information while appearing to be authorized users. The Inspector General warned that without resolving issues in this category, “the risk of unauthorized access is significantly increased.”
The Social Security Administration, meanwhile, suffered many of the same shortcomings, including a lack of authorization for many systems, use of unsupported systems, failure to Compile an Accurate and Comprehensive IT Asset Inventory, and Failure to Provide for the Adequate Protection of PII.
Details about the other departments are available in the report linked earlier.
The report comes seven months after the discovery of a supply chain attack that led to the compromise of nine federal agencies and about 100 private companies. Hackers working for the Chinese government broke into multiple federal agencies using vulnerabilities in the Pulse Secure VPN.
For all of 2020, the White House reported 30,819 information security incidents across the federal government, an 8 percent increase from the prior year.
https://arstechnica.com/?p=1784956, Ars Technica