From NASA to the State Department, federal agencies are relying on outdated systems, ignoring mandatory security patches and failing to protect classified data.
On August 3rd, the Senate Homeland Security Committee released a bipartisan 47-page review of the federal government's cybersecurity preparedness, and the title says it all: America's Data Still At Risk. This was a follow-up to their 2019 report, America's Data At Risk, which brought national attention to the shocking gaps that persisted across all branches of the US government. Two years and countless data breaches later, not much has changed.
While the entire report is worth a read, here are some of the main concerns highlighted by the senators.
Security Incidents are Up
In 2020 alone, the White House reported 30,819 information security incidents across the federal government. This represents an 8% increase from 2019, just in terms of the sheer quantity of attacks.
Unfortunately, however, the quality and efficacy of cyberattacks have also increased. In particular, the report mentions the Russian SolarWinds attack from December 2020 and the Chinese Pulse attack from April 2021, two of the most successful cyberattacks in recent history.
In addition, we've written extensively about the unprecedented string of attacks that have plagued core infrastructure and supply chain services including:
Proliferation of Undocumented Assets and Shadow IT
It's become a truism in the security industry that you can't protect what you don't know. In the case of the federal government, there have been thousands of cases of undocumented assets being used without any oversight, regulation, or even knowledge. Three such offenders stand out:
The Department of Housing and Urban Development, or HUD, discovered that an entire "unauthorized 'shadow IT'" system on the agency's network "existed without approved authorities to operate." Meanwhile, the State Department failed to account for more than half of employees with access to their classified networks. According to the report, the State Department "left thousands of accounts active after an employee left the agency for extended periods of time on both its classified and unclassified networks." Finally, at the Department of Transportation, no records could be found for 15,000 IT assets including, "7,231 mobile devices, 4,824 servers, and 2,880 workstations."
Non-Compliance with the Federal Information Security Modernization Act (FISMA)
FISMA was passed in 2014 to shore up federal cybersecurity, and bring the US government's information security into the digital age. Seven years later, the Senate report found that not a single agency has successfully complied with FISMA and that "all agencies failed to comply with statutory requirements to certify to Congress they have implemented certain key cybersecurity requirements including encryption of sensitive data, least privilege, and multi-factor authentication."
In addition, the Department of Homeland Security's cyber-intrusion detection system, named EINSTEIN, has never been fully implemented, and suffers from "significant limitations in detecting and preventing intrusions." With billions of dollars at risk, DHS will need to update the system and provide a clear roadmap for implementation, or risk having the system shelved entirely.
It's not all bad news. While the federal government has a lot of work to do to meet even a basic level of security preparedness, the report outlines clear steps that can be taken to help with that effort. Fortunately, the US already has the expertise, money, and desire to create a world class cybersecurity program. The problem, it seems, comes down to a lack of centralization of duties. This creates a political vacuum as well as making it hard to determine who exactly is responsible for what.
About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.
As a member of the reporting committee puts it, "there isn't currently a single point of accountability, government-wide, for cybersecurity. Each agency is responsible for its own cybersecurity, but government-wide it's not clear who is responsible for coordinating the whole strategy."
In response, the report recommends that the administration assign a primary office to develop and implement a cybersecurity strategy for the entire federal government. The most obvious candidate for this would be the Cybersecurity and Infrastructure Security Agency (CISA) which was launched in 2019 and currently acts as a sort of resource center for all things cybersecurity, but they would need to be given an additional mandate and budget if they are to take a more expanded role.
Now, the only question is whether Congress and the Administration will take decisive action to implement real and lasting investments in our long-term security, or allow the power of inertia and bureaucracy keep us on our current path of mishaps and carelessness.
Talk with one of our representatives today to learn more about how we can help improve your security. For a limited time, Quantum Armor licenses are being offered completely free of charge so that you can test-drive our platform 100% risk-free!
Top Four Benefits of Attack Surface Management
US Companies Struggle To Notice When They've Been Hacked
Inside Biden's Plan to Protect the Power Grid from Hackers