U.S. Federal Agencies Lagging Behind on Cybersecurity, Senate Committee Finds

Eight key U.S. government agencies continue to lag behind on their cybersecurity improvements, despite an overall 8 percent rise in security incidents in federal agencies, according to a report from the Senate Homeland Security and Governmental Affairs Committee.

The report, Federal Cybersecurity: America’s Data Still At Risk, found that only one out of the eight federal agencies audited for their cybersecurity programs—the U.S. Department of Homeland Security (DHS)—showed improvements in 2020. Seven out of the eight agencies still use legacy systems that are no longer supported by vendor security updates, which could put personally identifiable information (PII) and other sensitive material at risk of compromise.

This past year hackers have targeted everything from critical infrastructure to meatpacking centers and even our federal government. Chairman @SenGaryPeters asked @SecMaryorkas whether @DHSgov’s budget request for FY2022 is enough to prevent future attacks. pic.twitter.com/DzEXxp8mIa

— Homeland Security & Govt. Affairs Committee — Dems (@HSGAC) July 30, 2021

“It is clear that the data entrusted to these eight key agencies remain at risk,” the report said. “As hackers, both state-sponsored and otherwise, become increasingly sophisticated and persistent, Congress and the executive branch cannot continue to allow PII and national security secrets to remain vulnerable.”

The report includes findings from key inspector general audits of federal agencies, including that the U.S. State Department could not provide documentation for 60 percent of the sample employees tested who had access to the agency’s classified network. The department also left thousands of accounts active after an employee left the agency.

The U.S. Department of Transportation had no record of 14,935 IT assets, including 7,231 mobile devices.

The U.S. Department of Agriculture’s public-facing websites had a significant number of high vulnerabilities that were unknown to the agency.

In a test of the U.S. Department of Education’s security, an inspector general was able to exfiltrate hundreds of sensitive PII files—including credit card numbers—without detection or intervention by the agency.

The Senate report issues a number of recommendations, including a call for Congress to update the 2014 Federal Information Security Modernization Act to require federal agencies to notify the DHS Cybersecurity and Infrastructure Security Agency (CISA) of cyber incidents and to formalize CISA’s role as the leader of federal cybersecurity operations, CyberScoop reported.

According to commentary from Jamie Lewis, a venture partner at Rain Capital, founder of the Burton Group, and a former executive at Gartner, “the news that our government agencies have not established comprehensive measures to manage these cybersecurity risks is not new. The report released by the Senate Homeland Security and Governmental Affairs Committee on Tuesday echoes previous reports issued by the Government Accountability Office (GAO) and other watchdog agencies. As the Senate committee, the GAO, and others have recommended, government agencies must develop a comprehensive and centralized strategy for national cybersecurity. That includes the implementation of government-wide cybersecurity initiatives and addressing weaknesses in federal agency information security programs.”

As Security Management reported earlier this year, the GAO has been highlighting federal cybersecurity risks for nearly 25 years, and recent executive action on cybersecurity initiatives may result in progress at last.  Lewis noted that broad action takes time, but that does not mean cybersecurity improvements must stall until formal directives are released.

Following a series of high-profile cyber incidents, a watchdog highlighted the increasing threat breaches, intrusions, and attacks pose to the U.S. government. https://t.co/d5rCsBQFnd

— Security Management (@SecMgmtMag) July 13, 2021

“While such comprehensive approaches are clearly necessary, they take time to develop and deploy,” he said. “In the meantime, government agencies can substantially enhance their security posture by improving their execution around basic security practices. These include streamlining the consistent and timely implementation of patches for known system vulnerabilities, increasing the security awareness of front-line employees, and creating better incident response programs. Government agencies must also limit the collection and use of personal information, which will reduce the risks they must manage.

“Perhaps most importantly, the mind-set of agency leadership must change. Like much of the cybersecurity industry, most agency security programs have invested significantly more in prevention technologies and products than they have in detective systems,” Lewis said. “But those products are failing. Insider threats, social engineering, zero-day attacks, state-sponsored attackers, and many other factors have made an over-reliance on prevention a losing bet. Instead of pretending they can build impenetrable systems, government agencies must increase their ability to discover threats and orchestrate responses before they can do significant damage. Accomplishing that requires realigning both security architecture and the organization, which must come from the top.”

On 28 July, the Biden administration announced a new National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, which directs CISA and the National Institute of Standards and Technology (NIST) to lead an initiative to develop cybersecurity performance goals for critical infrastructure. The memorandum also formally establishes the President’s Industrial Control System Cybersecurity Initiative—"a voluntary, collaborative effort between the federal government and the critical infrastructure community to facilitate the deployment of technology and systems that provide threat visibility, indicators, detections, and warnings,” according to a White House fact sheet.

The chairman of the Senate Homeland Security and Governmental Affairs Committee, U.S. Senator Gary Peters (D-MI), met with key government stakeholders yesterday, including National Cyber Director Chris Inglis, to further discuss cyber risks and how to strengthen U.S. cybersecurity.

According to a statement from Peters after the meeting, the group discussed the Biden administration’s current efforts to address cyber threats and whether additional authorities or resources are needed.

“This included whether the federal government requires additional funds to prevent and respond to public and private network breaches, how lawmakers and agencies can work to secure and modernize federal IT systems to safeguard sensitive data, how to effectively combat ransomware attacks, and the administration’s approach to strengthening interagency cooperation and communication in order to tackle rising cyber threats," the statement said.