Out of eight U.S. federal agencies identified two years ago with critical cybersecurity failures, seven still don’t meet basic standards, a new audit report found. The Federal government’s overall posture was given just a C-.
Audited agencies included the Departments of State, Homeland Security, Housing and Urban Development, Transportation, Agriculture, Health and Human Services, Education and the Social Security Administration. Only one agency, DHS, received a B grade, while four got”Ds and three received C marks.
The report was completed by Senate staffers working with Inspectors General on behalf of the Committee on Homeland Security and Governmental Affairs who set out to measure how much improvement has been made since the committee identified eight critical agencies that needed to improve basic cybersecurity standards.
The report doesn’t equivocate, starting with its title, Federal Cybersecurity: America’s Data Still at Risk (PDF).
The Department of Homeland Security (DHS) was the only agency that made adequate improvements, according to the report.
“What this report finds is stark,” the authors write. “Inspectors general identified many of the same issues that have plagued Federal agencies for more than a decade. Seven agencies made minimal improvements and only DHS managed to employ an effective cybersecurity regime for 2020.”
To prove the high stakes of failing to shore up security, the report pointed to two recent major government breaches — SolarWinds, which exposed the Departments of DHS, State, Energy and Treasury, and the reported Chinese breach of Pulse Connect Secure, which allowed them to bypass agency passwords and multi-factor authentication (MFA) protections.
Sloppy Handling of America’s PII
Seven agencies didn’t provide adequate protection of personally identifiable information (PII), the report found.
The Social Security Administration was found to have lax PII protection, even failing to implement the basic requirements of the Federal Cybersecurity Enhancement Act of 2015.
Over at the Department of Education, the Inspector General was able to access and exfiltrate hundreds of sensitive files, including 200 credit card numbers, without the agency realizing it or taking any steps to stop it.
The authors also called out the State Department which couldn’t provide documentation on 60 percent of employees with access to the agency classified network and left former employee accounts live on both classified and unclassified networks long after they left.
This same issue was uncovered in three state government systems all the way across the globe in Western Australia, where it took between six and 161 days for terminated employees to have their network access cut off.
The Inspector also found that encryption, user access controls and MFA still weren’t being consistently implemented across the government.
No Idea What’s on the Network
Five audited agencies didn’t have comprehensive IT asset inventories, according to the report.
The auditors found unauthorized “shadow IT” hooked up to the Department of Housing and Urban Development that no one would have even known about “until it fails or is breached,” the report added.
Six of the audited agencies didn’t patch or engage in other vulnerability remediation in a timely manner, and all eight agencies are still using legacy systems no longer supported with security updates.
The Inspector General also found the National Cybersecurity Protection System program for agencies, also known as EINSTEIN, wasn’t as effective as it needs to be to detect and prevent attacks.
Inspector General Cybersecurity Recommendations
The report concludes with several recommendations, including risk-based budgeting.
“Agencies currently use limited funds on capabilities for perceived security weaknesses instead of those most likely to be exploited by threat actors,” the authors wrote.
It also advocated for a centralized, government-wide approach, tasking the Cybersecurity and Infrastructure Security Agency (CISA) with updating EINSTEIN, sharing services across agencies – including a whole-of-government endpoint detection effort – and establishing metrics to measure improvement across agencies.
Finally, the Inspector General called on Congress to update the Federal Information and Monitoring Act of 2014 to reflect current best practices, formalize CISAs role as lead agency for cybersecurity, require agencies to report CISA of certain incidents and define what constitutes a “major incident” which should be reported to Congress.
“Despite legal requirements for Federal agencies to secure their networks, they repeatedly fail to do so — this includes implementing basic cybersecurity hygiene practices and protecting the sensitive information entrusted to them,” the report said.
Experts: Consider This a ‘Call to Action’
Doug Britton, CEO of Haystack Solutions, told Threatpost on Tuesday that this is serious stuff: “This is an unnerving report and should be considered as a call to action,” he said via email. “These agencies deal with data that reaches the heart of what helps our country work, regulating transportation, research, and social services. It is startling to see how basic cyber protections are still not yet in place as we continue to see significant breaches making headlines. We are under active threat and need to take immediate action and make significant investment into our cybersecurity infrastructure, starting with our talent pipeline. We have the tools to find them regardless of their background. We need everyone we can muster to join this fight.”
Another security expert – Jamie Lewis, Rain Capital Venture Partner, founder of The Burton Group and former Gartner executive – noted that Tuesday’s report echoes previous reports published by the Government Accountability Office (GAO) and other watchdog agencies. All of these reports have recommended that government agencies develop a comprehensive and centralized strategy for national cybersecurity which is hardly surprising, given the data they gather, the functions they serve and the “extraordinarily high levels of information security risk” they face.
“Nation-states, criminals, and other actors bring sophisticated expertise and significant resources to bear in pursuing their objectives, and US government agencies are obvious targets,” Lewis commented. “In short, economic well-being, public health, and critical infrastructure are all at risk: a fact that has become all too clear of late as attacks have escalated.”
But while comprehensive approaches are “clearly necessary,” they take time to develop and deploy, he said. In the meantime, government agencies can substantially enhance their security posture by improving their execution around basic security practices. His recommendations: streamline the consistent and timely implementation of patches for known system vulnerabilities, increase the security awareness of front-line employees, create better incident response programs, and limit the collection and use of personal information in order to reduce the risks they must manage.
But perhaps the most important task at hand is to change mindset, Lewis said. “The mindset of agency leadership must change. Like much of the cybersecurity industry, most agency security programs have invested significantly more in prevention technologies and products than they have in detective systems. But those products are failing,” he said. “Insider threats, social engineering, zero-day attacks, state-sponsored attackers, and many other factors have made an over-reliance on prevention a losing bet. Instead of pretending they can build impenetrable systems, government agencies must increase their ability to discover threats and orchestrate responses before they can do significant damage. Accomplishing that requires realigning both security architecture and the organization, which must come from the top.”
Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.