Seven out of eight key federal agencies have failed to meet the basic cybersecurity standards expected of them over the past decade, despite being warned by a Senate committee two years ago, according to a new bipartisan report.
The Committee on Homeland Security’s new report, Federal Cybersecurity, America’s Data Still at Risk, claimed seven agencies had made “minimal improvements” over the period, and only the Department of Homeland Security (DHS) “managed to employ an effective cybersecurity regime for 2020.”
These seven are the Departments of State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services, Education and the Social Security Administration.
The report analyzed the audits of each departments’ inspectors general for fiscal 2020 and found “essentially the same failures as the prior ten years.”
These included: inadequate protection for personally identifiable information (PII); failure to maintain accurate IT asset inventories; failure to install timely patches; and use of legacy systems and applications.
The report claimed that even though the DHS came top with a “B” grade, it failed to apply patches for the past 12 years properly.
Other concerning findings included that the Department of Transportation had no record of over 14,000 of its IT assets, and the Department of Agriculture had no knowledge of a “significant number” of high severity bugs on its public-facing websites. The State Department could not provide documentation for 60% of employees with access to its classified network.
The findings come at a time when the US government is being regularly probed by state-backed attackers, especially from Russia and China. Notable recent campaigns include the Kremlin’s SolarWinds attacks, which compromised nine federal agencies, and the exploitation of vulnerabilities in Pulse Connect Secure, which enabled Beijing-backed operatives to infiltrate multiple agencies.
Burton Group founder and former Gartner executive, Jamie Lewis, said a mindset change had to take place among agency leadership.
“Government agencies can substantially enhance their security posture by improving their execution around basic security practices. These include streamlining the consistent and timely implementation of patches for known system vulnerabilities, increasing the security awareness of front-line employees, and creating better incident response programs,” he added.
“Government agencies must also limit the collection and use of personal information, which will reduce the risks they must manage.”
It’s hoped that President Biden’s recent executive order on cybersecurity will also force agencies to improve baseline security.