10 Most Glaring Cybersecurity Issues of US Government

A U.S. Senate subcommittee has released a new bipartisan report that documents the glaring failures of eight federal agencies to address major cybersecurity vulnerabilities.

Sen. Rob Portman, the Ohio Republican who presented the report, called the cybersecurity issues “a huge failure of government.”   

Here are 10 of the most stunning examples of cybersecurity negligence pointed out by the Permanent Subcommittee on Investigations: 

  • Over the past decade, all eight major agencies reviewed by the Subcommittee failed to apply security patches. 
  • For the last four fiscal years, the Department of Homeland Security continued to use unsupported systems, such as Windows XP and Windows Server 2003.
  • 73 percent of federal agencies are unable to tell when large amounts of data are removed from their networks.
  • In 2017 alone, federal agencies reported 35,277 cyber incidents.
  • Since 2011, the Department of Education, which holds personal information on millions of Americans, has been unable to prevent unauthorized outside devices from easily connecting to the agency’s network.
  • The Social Security Administration (SSA) had persistent cybersecurity issues risking the exposure of the personal information of 60 million Americans, failing annual privacy audits eight times since 2008. SSA’s system that holds information on millions of Americans includes programs written in COBOL, a programming language developed in the 1950s and 1960s.
  • The State Department’s system used to track and validate visa application information submitted by foreign nationals is approximately 29 years old.
  • Then-DHS Chief Information Officer Richard Staropoli summed up issues related to his cybersecurity management job by saying, “You can write this down and quote me, the problem is piss-poor management.”
  • The Department of Transportation found 10 unresolved security incidents that were over 90 days old, including a nearly year-old issue of “medical records mailed to the wrong address.”
  • The Department of Transportation spent part of its cybersecurity budget to prop up a 48-year-old legacy computer that manages its Hazardous Materials Information System.

Portman told the Avast Blog the cybersecurity needs of the American people require top tech talent. “The American people expect their personal information to be protected, and right now that isn’t happening. Due to the seriousness of these vulnerabilities, cyber hiring at these agencies must become a top priority. We must ensure that there are CIOs at all agencies and that they have the authority to make organization-wide decisions on cybersecurity. Without this senior-level accountability, agencies will continue to struggle to effectively secure their networks. Congress should continue its oversight of this issue to make sure agencies have the necessary resources and are making smart choices.”

A top issue noted in the report is immediately addressable, an Avast security analyst said. Jasdev Dhaliwal said the failure to patch outdated security software is a vulnerability that is prevalent, but easily fixed. “A new Avast report zeroes in on psychological avoidance as an issue in patching old software. People just don’t want to do that maintenance. But when it’s the federal government, those updates have to be addressed. Avast Patch Management takes out the guesswork and monitors updates for organizations in one central dashboard.” 

The eight agencies that were the focus of the audit are: the Department of Transportation (DOT); Department of Housing and Urban Development (HUD); Department of Agriculture (USDA); Department of Health and Human Services (HHS); Department of Education; and the Social Security Administration (SSA). These seven agencies were cited by OMB as having the lowest ratings with regard to cybersecurity practices based on NIST’s cybersecurity framework in fiscal year 2017. 

Read the entire report here.

*** This is a Security Bloggers Network syndicated blog from Blog | Avast EN authored by Avast Blog. Read the original post at: