Personal data of millions of Americans is at risk because of cybersecurity failures at multiple federal agencies, US Senate report concludes
A report released by a US Senate committee has painted a damming assessment of the cybersecurity readiness at multiple US federal agencies.
The bipartisan report published on Tuesday revealed details of an investigation by the Senate Committee on Homeland Security and Government Affairs, into the cyber security measures in the federal government.
Alarmingly, the ‘Federal Cybersecurity: America’s Data Still at Risk’ report found that seven out of eight federal agencies fail to protect critical data due to inadequate cyber security measures.
The report found there are still systemic failures to safeguard American data at the Department of State; the Department of Transportation; the Department of Housing and Urban Development; the Department of Agriculture; the Department of Health and Human Services; the Department of Education; and the Social Security Administration.
Only the Department of Homeland Security had an effective cybersecurity program for 2020, according to the report.
But seven federal agencies failed to protect personally identifiable information adequately; failed to maintain accurate and comprehensive IT asset inventories; failed to maintain current authorisations to operate for information systems; failed to install security patches quickly; and failed to retire legacy technology no longer supported by the vendor.
Worse still, the report inspectors identified many of the same issues that have plagued federal agencies for more than a decade.
“From SolarWinds to recent ransomware attacks against critical infrastructure, it’s clear that cyberattacks are going to keep coming and it is unacceptable that our own federal agencies are not doing everything possible to safeguard America’s data,” said Republican Senator Rob Portman.
“This report shows a sustained failure to address cybersecurity vulnerabilities at our federal agencies, a failure that leaves national security and sensitive personal information open to theft and damage by increasingly sophisticated hackers,” said Senator Portman.
“I am concerned that many of these vulnerabilities have been outstanding for the better part of a decade – the American people deserve better,” he added. “In the coming months, I will be introducing legislation to address the recommendations raised in this report so that America’s data is protected. ”
“Shortcomings in federal cybersecurity allow cybercriminals to access Americans’ personal information, which not only compromises our national security – but risks the livelihoods of people in Michigan and across the country,” added Democrat Senator Gary Peters.
“This report has identified an urgent need to further strengthen cybersecurity defenses at federal agencies and protect this sensitive data,” Said Peters. “Through the American Rescue Plan, I was able to help secure vital resources to modernize and safeguard information systems critical to the federal pandemic response – but there’s more work to be done.”
While the average grade of the large federal agencies’ overall information security maturity was a C-, the Departments of State, Commerce, Education, Transportation and Veterans Affairs all scored lower than that with D grades.
The SolarWinds compromise revealed how vulnerable many IT systems of the US government remain vulnerable to outside hackers, which includes nation state hackers.
The hackers inserted backdoor code into SolarWinds’ Orion platform in March of 2020 (or possibly earlier according to one US senator) and used this to access the systems of at least half-a-dozen US federal agencies, as well as potentially thousands of private firms before the attack was discovered in December 2020.
The scale of the US government compromise is still being investigated, but just before Christmas US Senator Ron Wyden revealed that dozens of email accounts at the US Treasury Department were compromised.