Think Washington, D.C.'s politics are a mess?
Wait until you hear about the U.S. government's cybersecurity posture.
As a level set, consider this: in 2017 alone, federal agencies reported 35,277 cyber incidents. And guess what? According to a new federal report, this is almost expected.
"The number of data breaches agencies have reported in recent years is not surprising given the current cybersecurity posture of the federal government."
And now we are learning details of exactly what that statement means.
A new Senate subcommittee report reveals specifics of the D.C. disaster when it comes to these eight federal government agencies and cybersecurity.
• Department of Homeland Security (DHS)
• Department of State ("State")
• Department of Transportation (DOT)
• Department of Housing and Urban Development (HUD)
• Department of Agriculture (USDA)
• Department of Health and Human Services (HHS)
• Department of Education ("Education")
• Social Security Administration (SSA)
What is happening at these federal agencies when it comes to cybersecurity? Well, here's one of the opening paragraphs from the new report:
"Over the past decade, IGs (Inspector Generals) for all eight agencies reviewed by the Subcommittee found each agency failed to timely remediate cyber vulnerabilities and apply security patches. For example, the HUD and State IGs identified the failure to patch security vulnerabilities seven of the last ten annual audits. HHS and Education cybersecurity audits highlighted failures to apply security patches eight out of ten years. For the last nine years, USDA failed to timely apply patches. Both DHS and DOT failed to properly apply security patches for the last ten consecutive years."
In other words, even the basic elements of a mature cybersecurity program are missing, even though they've been pointed out by audits year after year, after year.
The subcommittee report analyzed audits of these agencies against the NIST Cybersecurity Framework. That framework is considered by many to be the gold standard for building a security program at any organization. And it's the most popular course at our regional cybersecurity conferences around North America.
The Inspectors General reviewed the agencies by assigning ratings
on five security functions: (1) identify; (2) protect; (3) detect; (4) respond;
and (5) recover.
The new report on cybersecurity is long and detailed, so we'll only hit some of the lowlights here. The report's authors noted an agency's cybersecurity maturity level and called out specific fails, as follows:
"The State Department received 'Ad-hoc' maturity ratings, the lowest possible rating under NIST standards. An Ad-hoc rating means that the Department has not formalized its cyber policies and procedures and security activities are performed in a reactive manner."
Doesn't that sound frightening? The U.S. State Department does not even have formalized cybersecurity policies and procedures.
It's a different problem at the Department of Transportation:
"For ten consecutive years, the IG found DOT failed to remediate vulnerabilities in a timely fashion."
And there it is: a decade of failing at cybersecurity. And the report is just getting started.
"In FY 2018, the Department of Housing and Urban Development’s
information security program was ineffective in all five NIST functions."
None of them done right.
"HUD does not have a mature process for monitoring network and web application data exfiltration. This is problematic because the IG
identified several web applications that allow users to generate reports containing PII. For the last seven consecutive years, the Department used unsupported systems and failed to properly apply security patches."
And when it comes to patching known cybersecurity vulnerabilities, there are problems all over the place:
"In FY 2018, the Department of Agriculture’s cybersecurity program was ineffective in all five NIST functions, with pronounced issues in
vulnerability remediation.
For example, one USDA sub-agency had 49 percent of critical and high vulnerabilities outstanding for more than two years, and some went unaddressed for over five years."
Patches not applied for years? I guess we'll find out if hackers read Congressional reports; that tidbit could be very helpful. Next:
"In FY 2018, the Department of Transportation’s information security program was ineffective in all five NIST security functions, receiving the second lowest NIST maturity rating in each of the five functions.
In FY 2018, the Department of Health and Human Services’ cybersecurity program was rated ineffective in all five NIST functions. HHS still has not compiled an accurate and comprehensive IT asset inventory."
This reminds us of something we hear repeatedly at SecureWorld: it is impossible to secure what you don't know you have.
Let's continue with notes on additional agencies from the D.C. disaster on cybersecurity:
"Millions of students trust the Department of Education to keep their personal information secure. The Department of Education had reoccurring cybersecurity weaknesses that impeded the Department’s ability to achieve an effective information security program.
In FY 2018, the Social Security Administration’s information security
program was rated ineffective with particular issues related to identity and access management. The Social Security Administration had persistent cybersecurity issues risking the exposure of the personal information of 60 million Americans who receive Social Security benefits."
Are you getting a clear picture of the cybersecurity posture at these U.S. government agencies? Perhaps clearer than you would like.
There is actually a lot more to read in the report, Federal Cybersecurity: America's Data at Risk.
On a bright note, if we can call it that, the Department of Homeland Security was mentioned the fewest number of times in the report.
It apparently has the best cybersecurity program of these eight agencies. We'd certainly hope so.
After all, DHS is the agency in charge of securing the networks of all other
government agencies. And it also alerts the world to many cybersecurity vulnerabilities and threats.
RELATED STORIES:
Federal Employees Can Sue Over Data Breaches
Federal Government to Tech Employees: Do a Tour of Duty with Us
Federal Reserve Discloses Dozens of Cyber Breaches
4 Top Cyber Priorities at CISA