For years now, officials have warned that the top threat to the US comes in the guise of a cyber attack, leading to increased computer security budgets amongst government agencies.
Despite this, a new report, The Federal Government’s Track Record on Cybersecurity and Critical Infrastructure, paints a pretty bleak picture of the nation’s defences.
Unpatched software, weak passwords and inadequate controls were responsible for what the report refers to as over 48,000 cyber “incidents” amongst government entities reporting to the Department of Homeland Security.
The report, covering the 2012 financial year, was overseen by Oklahoma Senator Tom Coburn, the ranking Republican on the committee. He told the Washington Post:
None of the other agencies want to listen to Homeland Security when they aren't taking care of their own systems. They aren't even doing the simple stuff.
The main problem, according to Coburn, is one of personnel, with the federal government failing to employ candidates of the required calibre, or to offer those same people the appropriate level of clout required to enforce the necessary security policies. Additionally, the level of pay offered by the government was also cited as a barrier to attracting the required level of talent.
The report shows that the multiple failures across agencies comes at a staggering cost, saying that the federal government has blown a whopping $65 billion on computer and network security since 2006.
In return, the US taxpayer has been gifted a complete debacle with many high-profile agencies exhibiting what some may see as a complete indifference to good security practice.
At the Department of Homeland Security, for instance, the report discovered “hundreds of vulnerabilities on the DHS cyber team’s systems, including failures to update basic software like Microsoft applications, Adobe Acrobat and Java, the sort of basic security measure just about any American with a computer has performed.”
The specific failings at the DHS included a repeated failure to install software updates and patches, the use of weak and default passwords, out-of-date security software and public-facing websites containing known vulnerabilities.
Worse yet, physical security was found to be poor too with an inspection uncovering unlocked laptops as well as handwritten notes containing passwords and credit card information left on desks.
The irony here is that those observations were made just one month after Homeland Security was tasked with supervising cyber security across all of the government’s networks.
Other departments, including the Nuclear Regulatory Commission (NRC), Internal Revenue Service (IRS), the Securities and Exchange Commission (SEC) and the Departments for Education and Energy fared no better.
At the NRC, sensitive data was found on an unsecured shared drive and confidence in security personnel was so poor that many staff had bypassed controls and brought their own devices to work, even going so far as to create their own unofficial networks.
The NRC was also found to have no idea how much sensitive information it may have lost due to having no policy in place for such reporting to take place. It gets worse – NRC laptops, potentially containing sensitive nuclear information, were not properly accounted for or tracked.
At the IRS, the Government Accountability Office have discovered around 100 security weaknesses every year since 2008, including a failure to encrypt sensitive data, poor passwords and an inability to fix vulnerabilities.
The software and patching process was also described as being “dangerously slow”.
In 2011, it was discovered at one point that more than one in three of the IRS’ computers were running software with unpatched critical vulnerabilities.
At the SEC, there were just as many problems. A 2012 investigation discovered that team members were transmitting sensitive financial information between their personal email accounts.
Such information was also found to be stored on unencrypted laptops in violation of the SEC’s own policies. Those machines also lacked any kind of antivirus software and some were even found to contain information on how to hack into the financial exchanges.
The same investigation also discovered that some SEC team members took work computers home for personal use and connected the machines to unprotected networks. Unbelievably, it was reported that one of the SEC machines even appears to have been connected to a public network at a hacker convention.
At the Departments of Education and Energy, weak passwords were once again a common feature, as were poor controls that set no requirement for passwords to be changed over time.
Poor patch management was also another familiar sight across the departments, as were unprotected servers that were easily breached.
At the Department of Energy, it was discovered that vulnerability tests, whilst utilised, were woefully inadequate because staff ran less intrusive scans in order to lessen the impact upon system performance.
Furthermore, vulnerabilities that were detected were not always properly identified or corrected.
Michael Daniel, special assistant to the president on cybersecurity policy, told the Washington Post:
Almost every agency faces a cybersecurity challenge. Some are farther along than others in driving awareness of it.
It often depends on whether they've been in the crosshairs of a major cyber incident.
Let’s hope the report helps those agencies that are lagging to up their game before they find the crosshairs upon them.