You may be outraged when you read the latest bipartisan U.S. Senate report on federal cybersecurity.
In a nutshell, the report released earlier this month says U.S. federal agencies took “minimal” steps to tighten cybersecurity problems found two years ago. The failure to act leaves U.S. citizens vulnerable to foreign countries stealing our information and shutting down services with ransomware.
The agencies in question are: Housing and Urban Development (HUD), the U.S. Department of Agriculture (USDA), Health and Human Services (HHS), the Department of Education, the Social Security Administration, the U.S. State Department, and the Department of Transportation (DOT.)
To give you a sense of what’s at risk, the report cites mortgage applications (HUD,) financial aid applications (Education,) Medicare Beneficiary Enrollment information (HHS), and Social Security account information. Some agencies are storing this data on aging, unpatched, vulnerable legacy systems.
“It was no surprise” that Russian and Chinese hackers succeeded in penetrating – and stealing – U.S. data, the report said. “What this report finds is stark.”
The good news is an eighth agency – the Department of Homeland Security – improved its cybersecurity measures after failing to pass basic checks in 2019, the report said. Homeland Security is responsible for protecting U.S. entities from Russian, Chinese, and other foreign enemy hackers, so it should be using strong cyber measures.
But the other seven agencies failed to fully secure their data, the report said. Among the problems listed:
- Not giving agency CIOs the budget or authority to implement measures,
- Not following laws requiring implementation of security measures,
- Clinging to out-of-date, legacy systems that are likely backbones for agency services, and
- Using unique systems that cost multiples more than off-the-shelf solutions and perform worse than the market solutions.
There are 16 agencies within the U.S. government, and the 2019 and 2021 reports look at the eight scoring the lowest on cybersecurity, as measured by audits done by each agency’s Inspector General.
The other eight agencies are Commerce (home of NIST), Energy, Labor, Interior, Justice, Treasury, Defense, and Veterans Administration. While they also experienced breaches, they apparently employ better cyber measures than their colleagues in the Senate report.
With 2021’s SolarWinds and Pulse Connect Secure breaches, “it is clear that the data entrusted to these eight key agencies remain at risk,” the Senate report says. “As hackers, state-sponsored and otherwise, become increasingly sophisticated and persistent, Congress and the executive branch cannot continue to allow PII (Personally Identifiable Information) and national security secrets to remain vulnerable.”
So what does the report recommend? Follow the basic NIST (National Institute of Standards and Technology) standards for cybersecurity, including:
- Use up-to-date systems
- Apply updates (patches) as soon as they are released
- Maintain accurate inventories of I.T. assets (servers, tablets, laptops, etc.)
- Be able to detect and mitigate intrusions and other security incidents promptly
- Enforce strict user access policies that include terminating accounts when employees leave.
- Control how and what devices connect to your networks
- Block unauthorized transfers of your confidential data.
The Senate report comes from the Committee on Homeland Security and Governmental Affairs, headed by Cincinnati Sen. Rob Portman (R-Ohio), ranking member, and Sen. Gary Peters, D-Mich., chairman.
Read more and download the full report at the Homeland Security Digital Library.
If you need help achieving the NIST recommendations above, we can help. Get started by contacting us to discuss.