A damning report on the security of government computers paints an unflattering picture of lax or non-existent patching efforts, poor password policies, configuration errors and a general lack of confidence that exposes critical services and systems to attack.
The report, “The Federal Government’s Track Record on Cybersecurity and Critical Infrastructure,” was released yesterday by Oklahoma Republican Sen. Tom Coburn, the ranking member of the Homeland Security and Governmental Affairs Committee. Coburn reiterated the risks to financial markets, emergency response and individuals’ information posed these security issues brought to light in the report—the majority of which can be addressed with basic information security hygiene.
“While politicians like to propose complex new regulations, massive new programs, and billions in new spending to improve cybersecurity, there are very basic – and critically important – precautions that could protect our infrastructure and our citizens’ private information that we simply aren’t doing,” Coburn said.
Coburn pointed the finger at the White House for not holding the agencies accountable for proper cybersecurity policies and enforcement. The report referenced President Obama’s Executive Order, signed one year ago, which promised the government and private sector would collaborate on the directive to secure commercially owned critical infrastructure networks.
“It is appropriate for the White House to envision a federal role in protecting privately-owned infrastructure, particularly when that infrastructure undergirds the nation’s economy and society,” Coburn’s report said. “However, for the country’s citizens and businesses to take the government’s effort seriously, the federal government should address the immediate danger posed by the insecurity of its own critical networks.”
A good amount of ire in the report, which was built off data collected in 40 audits, interviews and reporting on government systems done in a dozen agencies, was reserved for DHS, which in 2010 was tasked with leading the effort to secure government computers.
Despite that responsibility, the White House Office of Management and Budget last year rated DHS below government agency averages for the use of up to date antivirus software and other automated detection programs, as well as a lack of email encryption and security awareness training. It also failed to reach a goal of sending 95 percent of DHS internet traffic through Trusted Internet Connections (TICs), sending only 72 percent.
Two years ago, computers at the National Protection and Programs Directorate (NPPD) which houses DHS cybersecurity, were below proper patching levels and were protected by weak passwords. FEMA and ICE immigration servers had missing patches, and Web applications were also vulnerable to remote attacks. In addition, physical security no-no’s were reported, including a number of passwords found written down on desks, unlocked desks, unlocked laptops, and even credit cards left on desks.
DHS was not alone in its troubles. The Nuclear Regulatory Commission had many of the same password and patching weaknesses, but the report points out a general lack of confidence in NRC’s IT staff. Business owners were buying their own computers and setting up their own networks inside agency offices. Workers were also storing data on nuclear facilities’ cybersecurity programs on unsecured shared drives.
“Just about every aspect of that process appears to be broken at the NRC,” the report said. “Problems were identified but never scheduled to be fixed; fixes were scheduled but not completed; fixes were recorded as complete when they were not.”
Computers at the Internal Revenue Service, which arguably stores the most sensitive information on just about every adult in the United States, are vulnerable to the same weaknesses year after year since 2008, the report said. The General Accounting Office, for example, identified 100 vulnerabilities on IRS machines, including a lack of encryption on data transmitted between offices over the Internet.
The Department of Education, which manages $948 billion in student loans, is vulnerable to remote attack on systems accessible to remote workers. The report also identified lax investigations by the department into reported compromises of accounts; only 17 percent of cases were reviewed. In addition, the department was flagged for weak network monitoring and security to the point where hackers were able to set up a rogue connection on the agency’s network behind the firewall.
The Department of Energy, which suffered two intrusions last year resulting in the theft of personal information on past and present government and contract employees, was another offender. The report cites an audit of Western Area Power Administration which handles power needs for 15 states in the central and western parts of the U.S. All 105 computers tested in the audit lacked proper patching, in addition to having public-facing servers configured with default credentials and poor scanning of systems for vulnerabilities so as not to impact performance of services running on those machines.
The Securities and Exchange Commission was not left out. The report said employees were using personal email accounts, including web-based programs such as Gmail, to send information to and from financial institutions. Laptops storing sensitive information were unencrypted and lacking antivirus software. Laptops belonging to the Trading and Markets team dedicated to cybersecurity contained information on vulnerabilities in exchange computers, as well as networking maps that could have facilitated hacks, the report said.
“The investigation also found that members of the team took work computers home in order to surf the web, download music and movies, and other personal pursuits,” the report said. “They also appeared to have connected laptops containing sensitive information to unprotected Wi-Fi networks at public locations like hotels—in at least one reported case, at a convention of computer hackers.”