Recent cyber attacks on the United States resulted in a spike in gasoline prices earlier this year after a crucial pipeline was taken offline by ransomware, while a similar attack impacted Americans’ food supply chain. Several American cities have also been targeted by cyber criminals in ransomware attacks in the past decade, while breaches of government systems have resulted in the theft of millions of individuals’ sensitive data.
The problem is likely going to get worse before it gets better, according to a new bipartisan report that was prepared by U.S. Senators Rob Portman (R-Ohio) and Gary Peters (D-Mich.), the Ranking Member and Chairman of the Senate Homeland Security and Governmental Affairs Committee. The federal agencies responsible for safeguarding the cybersecurity and personal data of Americans have largely failed to implement even the basic defenses, the 47-page report warned.
As a result, the agencies earned a grade of C- for falling short of federally-mandated standards, whilst the report also warned that the personal information of American citizens continues to remain at high risk, despite the wave of high-profile cyber attacks.
“From SolarWinds to recent ransomware attacks against critical infrastructure, it’s clear that cyberattacks are going to keep coming and it is unacceptable that our own federal agencies are not doing everything possible to safeguard America’s data,” said Sen. Portman via a statement
“This report shows a sustained failure to address cybersecurity vulnerabilities at our federal agencies, a failure that leaves national security and sensitive personal information open to theft and damage by increasingly sophisticated hackers,” I am concerned that many of these vulnerabilities have been outstanding for the better part of a decade – the American people deserve better. In the coming months, I will be introducing legislation to address the recommendations raised in this report so that America’s data is protected. This report makes it clear that the Biden administration must also ensure there is a single point of accountability for federal cybersecurity to oversee the implementation of our recommendations and address these cybersecurity failures.”
Agency Shortcomings
The report titled, “Federal Cybersecurity: America’s Data Still at Risk,” found that two years after Portman’s 2019 bipartisan report on federal agency cybersecurity – which he released as then-Chairman of the Permanent Subcommittee on Investigation (PSI), there are still system failures to safeguard American data.
The report especially called out the Department of State; the Department of Transportation; the Department of Housing and Urban Development; the Department of Agriculture; the Department of Health and Human Services; the Department of Education; and the Social Security Administration.
The lawmakers noted that the agencies had failed or otherwise came up short in terms of security in several ways, including to protect personally identifiable information adequately, to maintain accurate and comprehensive IT asset inventories, to maintain current authorizations to operate for information systems, to install security patches quickly, and most notably to retire legacy technology no longer supported by the vendor.
According to the report, six agencies operated systems without current authorizations to operate; seven agencies used legacy systems or applications no longer supported by the vendor with security updates; six agencies failed to install security patches and other vulnerability remediation controls quickly; seven agencies failed to maintain accurate and comprehensive information technology asset inventories; and seven agencies failed to protect personally identifiable information adequately.
“This is an unnerving report and should be considered as a call to action,” Doug Britton, CEO of Haystack Solutions, told ClearanceJobs in an email.
“These agencies deal with data that reaches the heart of what helps our country work, regulating transportation, research, and social services,” Britton warned. “It is startling to see how basic cyber protections are still not yet in place as we continue to see significant breaches making headlines. We are under active threat and need to take immediate action and make significant investment into our cyber security infrastructure starting with our talent pipeline. We have the tools to find them regardless of their background. We need everyone we can muster to join this fight.”
Addressing the Issues
The lawmakers’ report offered several suggestions including calling for a centrally coordinated approach for government-wide cybersecurity to ensure accountability, while suggesting that the Office of Management and Budget (OMB) should develop and require agencies to adopt a risk-based budgeting model for information technology investments.
Even those – and the numerous others – solutions that the report laid out, may not fully resolve the issue.
“While such comprehensive approaches are clearly necessary, they take time to develop and deploy. In the meantime, government agencies can substantially enhance their security posture by improving their execution around basic security practices,” said Jamie Lewis, Rain Capital venture partner, founder of The Burton Group and former Gartner executive.
“These include streamlining the consistent and timely implementation of patches for known system vulnerabilities, increasing the security awareness of front-line employees, and creating better incident response programs,” Lewis told ClearanceJobs. “Government agencies must also limit the collection and use of personal information, which will reduce the risks they must manage.”
Lagging Behind
Even as lawmakers in Washington are finally addressing critical infrastructure, there needs to be an understanding that cyber is also a critical part of that infrastructure – and that outdated security, legacy systems and inadequate training of users is all contributing to an ever-growing problem.
“Since cyber security investment often lags cyber crime, such lapses are not unusual in the federal and commercial sector,” Rajiv Pimplaskar, CRO of cyber research firm Veridium, said in an email.
“As the report indicates, systems housing user data or Personally Identifiable Information (PII) are especially vulnerable as they present bad actors with a honeypot of valuable information,” Pimplaskar explained to ClearanceJobs.
To address these issues, the mindset of agency leadership must change, and be ready to adapt to the ever growing threats.
“Like much of the cybersecurity industry, most agency security programs have invested significantly more in prevention technologies and products than they have in detective systems,” explained Lewis.
“But those products are failing. Insider threats, social engineering, zero-day attacks, state-sponsored attackers, and many other factors have made an over-reliance on prevention a losing bet,” he added. “Instead of pretending they can build impenetrable systems, government agencies must increase their ability to discover threats and orchestrate responses before they can do significant damage. Accomplishing that requires realigning both security architecture and the organization, which must come from the top.”
