Given that cyber crime ramped up in an unprecedented way during the Covid-19 pandemic, one might assume that federal agencies made a concurrent push to improve security (particularly given that an unusually contentious federal election landed in the middle of this period). A new Senate report reveals the opposite. Seven of eight federal agencies were found to have not made any meaningful improvements to their security since 2019.
The inspectors found that these agencies were not meeting even the basic expected standards for cybersecurity, finding issues that have continued to persist for a decade. Overall, the largest federal agencies received a “C-” grade on average for their cybersecurity posture.
Senate report calls out long-time federal cybersecurity negligence
In a set of failures described as “systematic,” the Senate report found that every federal agency save the Department of Homeland Security (DHS) came up short on its cybersecurity fundamentals. The report was conducted by the bipartisan Senate Homeland Security and Governmental Affairs Committee, headed up by the tandem of Gary Peters (D-Michigan) and Rob Portman (R-Ohio). While all of the federal agencies except for DHS were in some level of cybersecurity trouble, the report pointed to several that were given a grade of “F” for their security posture in 2020: the Departments of State, Commerce, Education, Transportation and Veterans Affairs.
Though the DHS passed the tests, it was not without its shortcomings. The DHS Inspector General did not submit its annual evaluation to Congress prior to the release of the Senate report, and the cybersecurity program that it administers to provide other federal agencies with a baseline level of intrusion detection (EINSTEIN) was found to have “significant limitations” in detecting and stopping attacks.
The points of failure that federal agencies are experiencing are all over the map. According to the Senate report, the one of the most common issues is a failure to keep up with necessary security patching (one not uncommon to private organizations as well). Another issue is that many federal agencies continue to use legacy systems and software that are no longer receiving security updates from vendors. Nearly all of the agencies were also operating systems without the current required authorizations, failing to maintain information technology asset inventories, and not following best practices for protecting personally identifiable information.
The report indicates that penetration testing was part of this examination, and that some agencies came up short. Investigators were apparently able to access a trove of personal information and credit card numbers on a Department of Education server without the IT staff noticing. The State Department appears to have routinely been leaving employee accounts active after individuals left the agency (including those on the classified network), and the Department of Agriculture had a number of undisclosed vulnerabilities that its IT staff was not aware of.
Rajiv Pimplaskar, CRO of Veridium, speculated on where the holes might have been found based on broader trends: “A core vulnerability that needs to be addressed across many environments is the over reliance on credential or password based authentication systems. According to the Verizon Data Breach Investigations Report (DBIR), over 80% of data breaches occur due to credential theft. Passwords are often reused, can be socially engineered, brute forced or hacked leading to a proliferation of the attack via lateral movement … Federal Agencies can and should adopt passwordless authentication utilizing Phone as a token or FIDO2 security keys. Such solutions reduce the attack surface of credentials that can be exploited in a data breach making the environment impervious to such attacks. Further, such solutions also reduce friction enabling a better user experience.”
Why federal agencies are failing
One of the failings that the Senate report identifies is the lack of a single point of accountability for the cybersecurity programs of federal agencies. This has stymied the creation of a government-wide unified cybersecurity strategy, and hampers efforts to implement new information security requirements that apply to all agencies.
The report also singled out legacy technologies as a longtime problem. It points out that these systems are potentially more costly than a full replacement at this point as critical funding has to be diverted to secure them once the vendor ceases to support them.
Jamie Lewis (Rain Capital Venture Partner, Founder of The Burton Group and Former Gartner Executive) notes that these two recent reports are part of a pattern that stretches back at least a decade: “Unfortunately, the news that our government agencies have not established comprehensive measures to manage these cybersecurity risks is not new. The report released by the Senate Homeland Security and Governmental Affairs Committee on Tuesday echoes previous reports issued by the Government Accountability Office (GAO) and other watchdog agencies … the mindset of agency leadership must change. Like much of the cybersecurity industry, most agency security programs have invested significantly more in prevention technologies and products than they have in detective systems. But those products are failing. Insider threats, social engineering, zero-day attacks, state-sponsored attackers, and many other factors have made an over-reliance on prevention a losing bet. Instead of pretending they can build impenetrable systems, government agencies must increase their ability to discover threats and orchestrate responses before they can do significant damage. Accomplishing that requires realigning both security architecture and the organization, which must come from the top.”
The Senate report concludes with a number of recommendations for all federal agencies. Among these are the introduction of a risk-based budgeting model for information technology investments developed by the Office of Management and Budget (OMB), a centrally coordinated approach for government-wide cybersecurity, an expansion of the Cybersecurity and Infrastructure Security Agency’s (CISA) shared services in support of the EINSTEIN program, and the development of new measurements to rate the maturity of each federal agency’s cybersecurity program. It also calls for an update to the Federal Information Security Modernization Act of 2014 to modernize cybersecurity best practices, install CISA as the lead agency for cybersecurity, create new notification requirements for federal agencies and their contractors, and to expand the range of cyber incidents that require notification.
This report comes two years after a similar investigation by the committee, concluded in June 2019, had found that all eight of the large federal agencies examined (including the DHS) had failed to patch out vulnerabilities and were leaving personal information exposed to potential attackers. The lack of urgency in addressing these problems shows a worrying cybersecurity culture in the highest reaches of government, exposed by the recent SolarWinds incident and other high-profile attacks against critical infrastructure.
But Bill O’Neill, Vice President of Public Sector at ThycoticCentrify, sees the development of a centralized federal strategy as the critical first step in truly addressing the problem: “US federal agencies must become a united front; one spearheaded by DHS, with CISA leading on proactive cyber strategy. That strategy should be backed by legislation and actively enforced rather than positioned as passive guidelines. Reported security oversights must also be immediately addressed through better interagency information sharing regarding vulnerabilities. Backend IT tech systems should be updated (in accordance with NIST guidelines) to phase out legacy counterparts and enable regular patching. Finally, deeper implementation of zero trust protocols outlined by Biden’s recent EO will help federal agencies stay better insulated to unauthorized access of sensitive data and insider threats … Government has the resources it needs to improve its cybersecurity posture – it just needs to overcome communication and policy barriers to put them to use correctly.”