"It is appropriate for the White House to envision a federal role in protecting privately-owned infrastructure, particularly when that infrastructure undergirds the nations' economy and society," suggests the report. "However, for the country's citizens and businesses to take the government's effort seriously, the federal government should address the immediate danger posed by the insecurity of its own critical networks."
Before looking at the security history of individual agencies, such as the Departments of Homeland Security, Education and Energy, the IRS, and the SEC, the report highlights some of the more outstanding breaches of recent years. These include the 'zombie attack' where the the Emergency Broadcast System warned that "the bodies of the dead are rising from their graves and attacking the living;" the theft of the US Army's database of 85,000 dams together with their potential weaknesses; and the exposure of the cybersecurity details for nuclear plants by the Nuclear Regulatory Commission.
This, says the report, is despite the federal government spending $65 billion on securing its computers and networks since 2006. "And yet agencies — even agencies with responsibilities for critical infrastructure, or vast repositories of sensitive data — continue to leave themselves vulnerable, often by failing to take the most basic steps towards securing their systems and information."
“As a taxpayer, I’m outraged,” said Alan Paller, research director at the SANS Institute, who reviewed a draft version of the report ahead of its official release. “We’re spending all this money and getting so little impact for it.” (Washington Post)
The report suggests that agencies' weaknesses are frequently down to a failure to do the basic, simple things in security – such as changing default passwords, or not using weak ones; often in violation of the agencies' own policies. "GAO [Government Accountability Office] has cited IRS for allowing old, weak passwords in every one of its reports on IRS’ information security for the past six years," it says.
Adequate patching would appear to be as much a problem within the agencies as it is in the business world. The Department of Energy is fairly typical: "In 2013, the IG [Inspector General] found that 41 percent of the Department’s desktop computers auditors examined were running operating systems or applications which had known vulnerabilities that were not patched, even though the software developers had made patches available."
Physical security is not ignored. "To take just one example, weaknesses found in the office of the Chief Information Officer for ICE included 10 passwords written down, 15 FOUO (For Official Use Only) documents left out, three keys, six unlocked laptops — even two credit cards left out."
There is a danger, however, that the report might be dismissed as inter-party politicking. A spokesperson for Sen. Tom Carper, the Delaware Democrat who chairs the Homeland Security and Governmental Affairs Committee, downplays the significance of the GOP report, saying the report "appears to reiterate some well-known security challenges identified in previous inspector general reports."
GovInfoSecurity reports, "Carper sees the GOP report as fodder to get Congress to reform the Federal Information Security Management Act, the nearly dozen-year-old law that governs federal government IT security."