The threat of cyberattacks has grown significantly over the past decade. But the cyberdefenses of key US federal agencies remain woefully inadequate, according to a Senate oversight report published Aug. 3. “While several of the agencies made minimal improvements in one or more areas, inspectors general found essentially the same failures as the prior 10 years,” the report concluded.
The agencies—much like private businesses across the economy—are struggling to catch up after years of deferring necessary investments in cybersecurity. Thanks to a string of recent high-profile hacks, the agencies likely have a narrow window in which to act while the bureaucracy’s leadership is motivated enough to modernize cyber defenses. William Malik, a vice president at the cybersecurity firm Trend Micro, said surveys have shown most organizations don’t patch up their IT vulnerabilities until there’s a serious attack or near-miss.
The report compiled findings from inspectors general at eight departments: Homeland Security, Housing and Urban Development (HUD), Health and Human Services, State, Transportation, Agriculture, Education, and the Social Security Administration.
The federal government has suffered two major hacks in the past year. In December, authorities revealed that Russian state hackers used a vulnerability in the SolarWinds network management software to break into the IT systems of nine federal agencies. In April, five more agencies acknowledged they had been breached by Chinese state-sponsored hackers who exploited weaknesses in a remote access software called Pulse Connect Secure. In response, US president Joe Biden issued a May 12 executive order directing federal agencies to get their cyberdefenses in order. He has also harped on the issue in public speeches pressuring both government agencies and private businesses to protect key infrastructure.
The problem is not that the US government needs cutting-edge high-tech cybersecurity software, the Aug. 3 Senate report reveals. It’s that the agencies have been unable to marshal either the budget or the organizational will to follow even basic best practices to defend an IT network.
Of the myriad security failures and recommendations to solve them, we’ve pulled together the highlights:
The State Department’s inspector general found the agency couldn’t account for 60% of the employees who had access to its classified network—a network which the report notes “contains data which if disclosed to an unauthorized person could cause grave damage to national security.” That violates one of the most basic cybersecurity measures: accurately managing users’ access to a secure network.
Thousands of former workers’ accounts were left open for “as long as 152 days after employees quit, retired, or were fired,” creating an opportunity for hackers or unscrupulous ex-State Department employees to use those lingering logins to steal data. The inspector general’s proposed fix: Do an account audit to find out who still has access to the network, and automatically shut off accounts that have been inactive for 60 days. (While the solution seems simple enough, the inspector general noted that the department rejected that advice, apparently because officials didn’t understand the recommendation.)
HUD’s inspector general chided the agency for its rampant “shadow IT” (the devices, software, and cloud services that are hooked into the agency’s networks “without the knowledge of the IT organization”). The Department of Transportation faces a similar problem, with nearly 15,000 mobile devices, servers, and workstations connected to its networks without the IT department’s knowledge. The report notes that “IT staff may not learn of the existence of [a shadow] system until it fails or is breached.”
Shadow IT puts a major dent in a network’s defenses. “If you don’t have very good control over your assets, people can connect a new device to your network or steal an existing device that has trusted access,” said Daryl Crockett, CEO of the cybersecurity firm ValidDatum. She suggested a couple of low-hanging fruit fixes: Organizations should keep better records of all the devices that are authorized to access their networks, and they should use multi-factor authentication to ensure that if one device is stolen, a hacker can’t log in without also having access to other trusted devices.
The easiest way organizations can bolster their cyberdefenses is by quickly installing security patches, software updates from tech companies addressing known vulnerabilities in their products. Crockett estimates that 90% of hacks could have been prevented if the victims installed patches in time.
The Department of Homeland Security has long since struggled to stay on top of security patches. Its inspector general has called the agency out for “failure to properly apply security patches” in 12 consecutive annual reports. This year’s Senate report notes that six of the eight agencies it studied also fail to update their software regularly.
Seven of the eight agencies in the report “used legacy systems or applications no longer supported by the vendor with security updates.” These agencies rely on software that’s so old that the manufacturer has gone out of business or stopped bothering to create security patches (e.g. Internet Explorer).
The Transportation Department, for instance, still uses Windows 2008, which Microsoft stopped supporting five years ago. The Department of Homeland Security is still using an outdated and unsupported version of Windows even after the agency’s inspector general pointed it out in six consecutive annual reports.
HUD relies on several “mission-essential” applications that “have not been modernized in decades,” according to the report. The agency’s inspector general has been calling it out for using outdated software “in every annual evaluation since FY 2013.” But HUD has struggled to invest in new, modern software—perhaps because it spends “the majority of its information security budget on the maintenance of legacy systems.”
HUD is a perfect example of an organization deep in “technical debt.” Because it has waited so long to modernize its network, it has become very costly to make the necessary upgrades—but it’s also very expensive just to keep the lights running on the old system. The only way out is to bite the bullet and spend the money to revamp the network now, before the problem gets worse.