While there are countless irresponsible websites that retain personally identifiable information (PII), perhaps the federal governments’ websites should be the ones we’re most wary about. A report released by the Senate Permanent Subcommittee on Investigations on Tuesday analyzing data from 2006 to 2015 found that the number of cyberincidents, including data breaches, reported by federal agencies increased 1300% in that time span.
The Senate subcommittee reviewed audits of the eight agencies with the lowest cybersecurity ratings based on an Office of Management and Budget (OMB) review of their compliance with the National Institute of Standards and Technology’s (NIST) cybersecurity framework. The agencies reviewed included the departments of State, Transportation (DOT), Housing and Urban Development (HUD), Agriculture (USDA), Health and Human Services (HHS), Education and Homeland Security (DHS), as well as the Social Security Administration (SSA).
These agencies, generally, failed to even meet the basic demands.
The State Department, DOT, HUD, the Education Department and SSA all failed to protect the PII on file. This puts the information of any citizen that has engaged with one of these departments at risk. The HUD inspector general noted that the lack of PII protection has been an issue in nine of the last 11 audits.
Five of the eight agencies did not maintain comprehensive and accurate lists of their information technology (IT) assets. If an agency does not document which applications are running on its network, they cannot maintain security standards.
Moreover, all eight agencies failed to fix cyber vulnerabilities and apply important security patches in a timely manner. For most of these agencies, the failure to patch security vulnerabilities plagued at least seven of their last 10 audits.
Many of the systems that these federal agencies relied on were also too old to receive current security updates. All eight agencies reviewed relied on outdated legacy systems. DHS, for instance, relies on practically expired systems like Windows XP and Windows 2003.
Congress has attempted to combat these issues since the invention of the federal chief information officer (CIO) in the 1990s. Legislation like the Federal Information Security Management Act (FISMA) and the Federal Information Technology Acquisition Reform Act (FITARA) also pushed agencies to get their IT systems secure and up to date.
GAO reported in August 2018 that despite these legislative efforts, no agency has properly implemented the role of the CIO to overhaul these systems as Congress directed.
Government security breaches leave Americans vulnerable. In 2015, for example, over 22 million security clearance files filled with PII and other compromising information were exfiltrated by a hacker. The impact on national security, the Senate subcommittee reported, may never be fully understood.
“The federal government … is failing to implement basic cybersecurity standards necessary to protect America’s sensitive data,” the Senate subcommittee concluded.
Photo Credit: Unsplash
Alarming report, but hopefully this can spur action to improve cybersecurity standards and practices across agencies!