Bipartisan report finds agencies plagued by cyber woes
Several major federal agencies continue to fail to address recurring cybersecurity vulnerabilities or implement basic standards that would protect the public’s sensitive information, according to the results of a new bipartisan congressional investigation.
A review issued on Tuesday by the Senate Homeland Security Committee found that, despite years of warnings, agencies such as the State, Education, Agriculture and Health and Human Services departments have not established effective cybersecurity programs or complied with federal information security standards.
Only the Homeland Security Department created an effective information security program through its Cybersecurity and Infrastructure Security Agency, the report concluded.
“This report shows a sustained failure to address cybersecurity vulnerabilities at our federal agencies, a failure that leaves national security and sensitive personal information open to theft and damage by increasingly sophisticated hackers,” Sen. Rob Portman (Ohio), the panel’s top Republican, said in a statement.
“I am concerned that many of these vulnerabilities have been outstanding for the better part of a decade — the American people deserve better,” he added.
The newly-minted report — which studies the fiscal 2020 inspectors general evaluations of the eight agencies, including the Transportation and Housing and Urban Development departments and the Social Security Administration — is a follow-up to one that Portman, then chair of the panel’s Permanent Subcommittee on Investigations, issued in 2019.
Some of the incidents cited in the report include:
- State left thousands of accounts active on both its classified and unclassified networks after employees left the agency.
- Transportation couldn’t account for more than 14,000 IP assets, including over 7,000 mobile devices, nearly 5,000 servers and close to 3,000 workstations.
- Agriculture had vulnerabilities on the agency's public-facing websites that were unknown to the agency.
- At Education, auditors were able to exfiltrate hundreds of files containing sensitive, personally identifiable information, including 200 credit card numbers, without the department noticing.
A committee aide said that a “large part” of why agencies are plagued with performance issues is that there is no single organization that is responsible for federal cybersecurity.
That “balkanization of cybersecurity across federal agencies, it has been a persistent problem,” the aide said.
The report recommends, among other things, that the Office of Management and Budget to develop a risk-based budget model for IT investments; Congress update a 2014 that gave agency CIOs recommended powers; and for DHS to provide lawmakers with a plan to update EINSTEIN, the department’s network monitoring program, which is slated to expire next year.
In a statement, Senate Homeland Security Committee Chair Gary Peters (D-Mich.) vowed to work with Portman on legislation to “federal IT systems and ensure that federal agencies are taking necessary steps to prevent Americans’ valuable information from being stolen.”
Federal Cybersecurity on Scribd
Martin Matishak is a senior cybersecurity reporter for The Record. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.