Cyber security at eight federal agencies is so bad that four of them got D ratings, three got Cs, and only one received a B in a report released Tuesday by a U.S. Senate committee.
“It is clear that the data entrusted to these eight key agencies remains at risk,” he added. 47-page report declared. “As hackers, both state sponsored and others, become more sophisticated and persistent, Congress and the executive cannot continue to allow PII and national security secrets to remain vulnerable. “
The report, released by the Senate Committee on Homeland Security and Government Affairs, comes two years after a separate report uncovered systemic failures of the same eight federal agencies in meeting federal cybersecurity standards. the previous report found that during the decade from 2008 to 2018, agencies failed to adequately protect personally identifiable information, maintain a list of all hardware and software used on agency networks, and install the timely security fixes provided by vendors.
The 2019 report also pointed out that agencies are running legacy systems that are expensive to maintain and difficult to secure. The eight agencies, including the Social Security Administration and the departments of Homeland Security, State, Transport, Housing and Urban Development, Agriculture, Health and Social Services, and Education , failed to protect the sensitive information they stored or retained.
Tuesday’s report, titled Federal Cyber Security: America’s Data Still at risk, analyzed the security practices of the same agencies for 2020. It revealed that only one agency achieved a B rating for its cybersecurity practices last year.
“What this report finds is striking,” the authors wrote. “Inspectors General have identified many of the same issues that have plagued federal agencies for over a decade. Seven agencies made minimal improvements, and only DHS succeeded in using an effective cybersecurity regime for 2020. As such, this report finds that these seven federal agencies still did not meet the necessary basic cybersecurity standards. to protect America’s sensitive data.
The authors assigned the following ratings:
|Department of Transportation||D|
|Department of Education||D|
|Social security administration||D|
|Department of Agriculture||VS|
|Ministry of Health and Social Services||VS|
|Department of Housing and Urban Development||VS|
|Department of Homeland Security||B|
Auditors found that State Department systems often ran without the required permissions, ran software (including Microsoft Windows) that was no longer supported, and failed to install security patches in a timely manner.
The ministry’s user management system was particularly criticized because officials could not provide documentation on user access agreements for 60 percent of the sample employees who had access to the ministry’s classified network.
The listeners wrote:
This network contains data which, if disclosed to an unauthorized person, could cause “serious damage” to national security. Perhaps more troubling, the state has failed to close thousands of accounts after long periods of inactivity on its classified and sensitive but unclassified networks. According to the Inspector General, some accounts remained active for up to 152 days after employees leave, retire or lay off. Former employees or hackers could use these unexpired credentials to gain access to sensitive and classified government information, while appearing to be an authorized user. The inspector general warned that without resolving the problems in this category, “the risk of unauthorized access is greatly increased.”
The Social Security Administration, meanwhile, suffered many of the same shortcomings, including a lack of authorization for many systems, the use of unsupported systems, the inability to compile an accurate inventory, and complete IT assets and failure to provide adequate protection of personal information.
Details on other departments are available in the previously linked report.
The report comes seven months after the discovery of a supply chain attack that led to the compromise of nine federal agencies and around 100 private companies. In April, hackers working for the Chinese government violated several federal agencies by exploiting vulnerabilities in Pulse Secure VPN.
For all of 2020, the White House reported 30,819 information security incidents across the federal government, an 8% increase from the previous year.