New report shows key agencies don’t patch software or replace decades-old systems used to manage privacy info of citizens
A U.S. Senate subcommittee has released a new bipartisan report that documents the glaring failures of eight federal agencies to address major cybersecurity vulnerabilities.
Sen. Rob Portman, the Ohio Republican who presented the report, called the cybersecurity issues "a huge failure of government."
Here are 10 of the most stunning examples of cybersecurity negligence pointed out by the Permanent Subcommittee on Investigations:
- The State Department’s system used to track and validate visa application information submitted by foreign nationals is approximately 29 years old.
- The Department of Transportation spent part of its cybersecurity budget to prop up a 48-year-old legacy computer that manages its Hazardous Materials Information System.
- Since 2011, the Department of Education, which holds personal information on millions of Americans, has been unable to prevent unauthorized outside devices from easily connecting to the agency’s network.
- Over the past decade, all eight major agencies reviewed by the Subcommittee failed to apply security patches.
- For the last four fiscal years, the Department of Homeland Security continued to use unsupported systems, such as Windows XP and Windows Server 2003.
- In 2017 alone, federal agencies reported 35,277 cyber incidents.
- The Social Security Administration (SSA) had persistent cybersecurity issues risking the exposure of the personal information of 60 million Americans, failing annual privacy audits eight times since 2008. SSA’s system that holds information on millions of Americans includes programs written in COBOL, a programming language developed in the 1950s and 1960s.
- Then-DHS Chief Information Officer Richard Staropoli summed up issues related to his cybersecurity management job by saying, “You can write this down and quote me, the problem is piss-poor management.”
- 73 percent of federal agencies are unable to tell when large amounts of data are removed from their networks.
- The Department of Transportation found 10 unresolved security incidents that were over 90 days old, including a nearly year-old issue of “medical records mailed to the wrong address.”
Portman told the Avast Blog the cybersecurity needs of the American people require top tech talent. "The American people expect their personal information to be protected, and right now that isn’t happening. Due to the seriousness of these vulnerabilities, cyber hiring at these agencies must become a top priority. We must ensure that there are CIOs at all agencies and that they have the authority to make organization-wide decisions on cybersecurity. Without this senior-level accountability, agencies will continue to struggle to effectively secure their networks. Congress should continue its oversight of this issue to make sure agencies have the necessary resources and are making smart choices.”
A top issue noted in the report, the failure to update old software, is immediately addressable, an Avast security analyst said. “We have a new Avast psychology report that identifies people’s avoidance as a reason they don’t patch old software. That’s understandable, but when it comes to federal computer issues, it’s no excuse. Our product Avast Business Patch Management helps a great deal by monitoring updates for organizations in one central dashboard,” said Avast cybersecurity evangelist Gill Langston.
The eight agencies that were the focus of the audit are: the Department of Transportation (DOT); Department of Housing and Urban Development (HUD); Department of Agriculture (USDA); Department of Health and Human Services (HHS); Department of Education; and the Social Security Administration (SSA). These seven agencies were cited by OMB as having the lowest ratings with regard to cybersecurity practices based on NIST’s cybersecurity framework in fiscal year 2017.
Read the entire report here.