Sophos Cloud Optix
For years now, officials have warned that the top threat to the US comes in the guise of a cyber attack, leading to increased computer security budgets amongst government agencies.
Despite this, a new report, The Federal Government’s Track Record on Cybersecurity and Critical Infrastructure, paints a pretty bleak picture of the nation’s defences.
Unpatched software, weak passwords and inadequate controls were responsible for what the report refers to as over 48,000 cyber “incidents” amongst government entities reporting to the Department of Homeland Security.
The report, covering the 2012 financial year, was overseen by Oklahoma Senator Tom Coburn, the ranking Republican on the committee. He told the Washington Post:
None of the other agencies want to listen to Homeland Security when they aren't taking care of their own systems. They aren't even doing the simple stuff.
The main problem, according to Coburn, is one of personnel, with the federal government failing to employ candidates of the required calibre, or to offer those same people the appropriate level of clout required to enforce the necessary security policies. Additionally, the level of pay offered by the government was also cited as a barrier to attracting the required level of talent.
The report shows that the multiple failures across agencies comes at a staggering cost, saying that the federal government has blown a whopping $65 billion on computer and network security since 2006.
In return, the US taxpayer has been gifted a complete debacle with many high-profile agencies exhibiting what some may see as a complete indifference to good security practice.
At the Department of Homeland Security, for instance, the report discovered “hundreds of vulnerabilities on the DHS cyber team’s systems, including failures to update basic software like Microsoft applications, Adobe Acrobat and Java, the sort of basic security measure just about any American with a computer has performed.”
The specific failings at the DHS included a repeated failure to install software updates and patches, the use of weak and default passwords, out-of-date security software and public-facing websites containing known vulnerabilities.
Worse yet, physical security was found to be poor too with an inspection uncovering unlocked laptops as well as handwritten notes containing passwords and credit card information left on desks.
The irony here is that those observations were made just one month after Homeland Security was tasked with supervising cyber security across all of the government’s networks.
Other departments, including the Nuclear Regulatory Commission (NRC), Internal Revenue Service (IRS), the Securities and Exchange Commission (SEC) and the Departments for Education and Energy fared no better.
At the NRC, sensitive data was found on an unsecured shared drive and confidence in security personnel was so poor that many staff had bypassed controls and brought their own devices to work, even going so far as to create their own unofficial networks.
The NRC was also found to have no idea how much sensitive information it may have lost due to having no policy in place for such reporting to take place. It gets worse – NRC laptops, potentially containing sensitive nuclear information, were not properly accounted for or tracked.
At the IRS, the Government Accountability Office have discovered around 100 security weaknesses every year since 2008, including a failure to encrypt sensitive data, poor passwords and an inability to fix vulnerabilities.
The software and patching process was also described as being “dangerously slow”.
In 2011, it was discovered at one point that more than one in three of the IRS’ computers were running software with unpatched critical vulnerabilities.
At the SEC, there were just as many problems. A 2012 investigation discovered that team members were transmitting sensitive financial information between their personal email accounts.
Such information was also found to be stored on unencrypted laptops in violation of the SEC’s own policies. Those machines also lacked any kind of antivirus software and some were even found to contain information on how to hack into the financial exchanges.
The same investigation also discovered that some SEC team members took work computers home for personal use and connected the machines to unprotected networks. Unbelievably, it was reported that one of the SEC machines even appears to have been connected to a public network at a hacker convention.
At the Departments of Education and Energy, weak passwords were once again a common feature, as were poor controls that set no requirement for passwords to be changed over time.
Poor patch management was also another familiar sight across the departments, as were unprotected servers that were easily breached.
At the Department of Energy, it was discovered that vulnerability tests, whilst utilised, were woefully inadequate because staff ran less intrusive scans in order to lessen the impact upon system performance.
Furthermore, vulnerabilities that were detected were not always properly identified or corrected.
Michael Daniel, special assistant to the president on cybersecurity policy, told the Washington Post:
Almost every agency faces a cybersecurity challenge. Some are farther along than others in driving awareness of it.
It often depends on whether they've been in the crosshairs of a major cyber incident.
Let’s hope the report helps those agencies that are lagging to up their game before they find the crosshairs upon them.
Image of fail stamp and virus alert courtesy of Shutterstock.
Replace “government agencies” with “private companies” and it sounds pretty much accurate still.
Everyone wants security (or even proper IT), but many balk at the cost and start making concessions. Especially when, outside of an actual security company, it’s a cost center and not a revenue-generating group.
This report doesn’t even get into the systems of government contractors, which are often even worse. I know a person who needed some raw data for their master’s thesis, and quite by accident (using Google, I think) found a completely unsecured ftp server belonging to a government contractor with years worth of just the sort of data needed sitting around on it. So this person took it, stripped out information that would identify it’s source, and used it (since they only needed data to show an analysis technique worked, the data itself was irrelevant). Now, this was a pretty benign example, but not an uncommon one. There was other data on there that was a lot more sensitive data on there that this person was ethical enough to leave alone.
No one is paid enough or given enough authority to care, and no one’s held accountable. IT departments are ridiculously under staffed (1:300 is not uncommon) and under-trained (never given time or money to keep their skills up). The general attitude of most government agencies is “if it ain’t broke don’t fix it” taken to an extreme. No one cares if they’re hemorrhaging money keeping old systems alive, that is always considered preferable to upgrading anything. (Same reason completely useless employees are often allowed to stay, giving the majority useful people a bad reputation.)
If a business had developed this toxic of an attitude, it would collapse under it’s own weight. I’m not entirely sure how you fix it in a government. But somehow, some way, you have to replace a whole lot of apathy with thoughtfulness and care. Both from employees and contractors.
Companies may have gotten skittish after 2002 when the whole technical information thing went crazy. And wages for tech positions were high (in some cases ridiculous). But those companies can only blame themselves.
Now when consistency is needed, they don’t want to do what needs to be done.
“tow the line my IT friends!”
I see this in my work environment: willing to blow mid-5 figures on security software, but unwilling to invest effort our put emphasis into all the basics of good security practices. Keeping an inventory of devices and IPs in use, making sure documentation is kept up-to-date, inventory current software in use and remove anything not related to needed business functions, regular checks and audits of all our security practices and protocols, etc We’re probably better than most because there are some effective security practices we follow religiously, but there are many that aren’t.
Ira Winkler had a fantastic presentation he would give years ago entitled “Information Security and The Wizard of Oz”. I loved it because when I saw it, he had small figurines he would play with at the dais representing the Oz characters, which caused some suits in the audience to turn to each other with “what the hell?” expressions. Ira’s message was spot on, though, in that like the Oz characters, companies tend to search for magic security bullets they can purchase then set and forget, when they have the ability to secure themselves all along via simple security standards.
So, as a government agency, how secure is the NSA with all of the iinformation they are ” gathering “?
Government agencies need to adopt a standard method for implementing security controls and protection…. Oh wait the NSA was pushing out the SANS 20 basic controls in 2008. Uhmmm… did someone forget that this should be looked at and automated on a regular basis? This article alone proves that most of the Basic 20 controls were completely ignored!
I believe that major cause of this issue is that in most instances within Givt the CSO reports to the CIO or CFO. If you report to the CIO, he is more concerned, as is IT about providing customer service, as ITS is a customer focussed operation and security is seen as an impediment. Alternatively if you report to the CFO, he has absolutely no idea about Information Security/Cyber Security and sees this as an area that doesn’t create much business value and is a prime target for efficiencies. Both the CIO and CFO fear disgruntled users who have to change their passwords regularly as they see this standing in the way of productivity and as a consequence the CSO comes off a bad second best. CIOs and CFOs are dedicated to keeping everyone happy and the business profitable, but they don’t understand the the elephant in the room is a cyber attack that can kill all confidence in their business or effect continuity. This happened in Target and it will happen in Government. The warnings have been given but the C-suit isn’t listening because they have a “can’t happen to us attitude’.