Hot Topics
Analytics & Intelligence Application Security Cloud Security Cyberlaw Cybersecurity Data Security DevOps Endpoint Featured Governance, Risk & Compliance Identity & Access Incident Response IoT & ICS Security Malware Mobile Security Network Security News Security Awareness Security Boulevard (Original) Social Engineering Spotlight Threat Intelligence Threats & Breaches Vulnerabilities 

SHOCKER: Senate Says Security Sucks—Still

by Richi Jennings on August 5, 2021

A U.S. Senate committee graded cybersecurity as ‘poor’ in seven big agency departments. The litany of failures listed in its report are astounding.

This damning report comes two years after the previous damning report. How much have things improved? Not much.

A billion taxpayer dollars spent on improving things, but not a lot to show for it. Incompetence, laziness and political infighting are noted by insiders in today’s SB Blogwatch.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: TonyM2’s tribute to Jimmy and the Purple One.

Failing at the Basics

What’s the craic? Charlotte Hu reports the report—“Not a single federal agency received an ‘A’ in a new Senate cybersecurity report card”:

More work needs to be done
The US Senate Homeland Security and Governmental Affairs Committee released a bipartisan report. … Seven out of the eight federal agencies they reviewed still have not met the basic cybersecurity standards needed to protect the sensitive data they stored and maintained.

The Departments of … State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services, Education, and the Social Security Administration … had made just “minimal improvements” since 2019. … The average grade for all the large federal agencies was a C-minus. None of the agencies received an A. … Only the Department of Homeland Security [graded B].

[Sen.] Gary Peters (D-MI) … notes that the American Rescue Plan has recently invested more than $1 billion to modernize and secure federal IT and networks, but … more work needs to be done. [And Sen.] Rob Portman (R-OH) [said] he will be introducing legislation to “address the recommendations raised in this report.”

And Dan Goodin adds, “Two years after a damning cybersecurity report, auditors find little has improved”:

Same shortcomings
Four of them earned grades of D, three got Cs, and only one received a B. [It] comes two years after a separate report found systemic failures by the same eight federal agencies in complying with federal cybersecurity standards. … During the decade spanning 2008 to 2018, the agencies failed to properly protect personally identifiable information, maintain a list of all hardware and software used on agency networks, and install vendor-supplied security patches in a timely manner.

State Department systems, the auditors found [in the new report], frequently operated without the required authorizations, ran software (including Microsoft Windows) that was no longer supported, and failed to install security patches in a timely manner. The department’s user management system came under particular criticism because officials couldn’t provide documentation of user access agreements for 60 percent of sample employees that had access to the department’s classified network.

The Social Security Administration, meanwhile, suffered many of the same shortcomings. … The report comes seven months after the discovery of a supply chain attack that led to the compromise of nine federal agencies and about 100 private companies.

Horse’s mouth? Senators Portman and Peters sum it up—“America’s data still at risk”:

Remains at risk
What this report finds is stark: Inspectors general identified many of the same issues that have plagued Federal agencies for more than a decade.

In the past two years, state-sponsored hackers have perpetuated some of the largest and most damaging cyber-attacks in our history. … For 2020, the White House reported 30,819 information security incidents across the Federal Government—an 8 percent increase from the prior year.

Concerning findings from the … audits include: … The Department of Transportation (DOT) Inspector General found 14,935 IT assets … including 7,231 mobile device, 4,824 servers, and 2,880 workstations, of which the Department had no record. … In a test of the Department of Education’s security, the Inspector General was able to exfiltrate hundreds of sensitive PII files—including 200 credit card numbers—without the agency detecting or blocking it.

It is clear that the data entrusted to these eight key agencies remains at risk. … Congress and the executive branch cannot continue to allow PII and national security secrets to remain vulnerable.

How could this happen? Let’s cut a rug while u/PooPooPlatter005 scats some jazz: [You’re fired—Ed.]

Another cheap solution
Because the government contracts all this out and doesn’t want to pay for quality contractors. So much turnover in the cyber side that by the time folks get caught up, they’ve lost that contract to some ****** company that bid so low they’ll never be able to complete the work. So they take the government money for a year until the government can drop them and look for another cheap solution to an expensive problem.

But why has almost nothing changed? Here’s Entrope:

Cannot afford to
Ultimately, IT security is an overhead cost. … Compliance costs effort and money, and you need a cost/benefit analysis to figure out what makes sense.

Agencies’ critical systems were often developed before the Internet was so widely used. … They cannot afford to stop doing their statutory functions for years while replacing the IT infrastructure.

Your tax dollars at work? KChat follows the money:

Follow-up with the cash
Has there been funding allocated to replace these legacy systems? To staff-up IT so they can effectively manage system patches?

It’s great the Senate does these reports, but they need to follow-up with the cash to implement the recommendations. Or the report two years from now will say the same things.

If only we had an insider to tell it like it is. u/Stock_Ad_8145 tells it like it is:

Drill instructor
I worked with a federal agency’s information security office last summer. I worked specifically with the assessment and authorization team. They wanted me to research how to incorporate MITRE ATT&CK—which is a repository of common attacker tactics, techniques, and procedures—into their security assessments.

They didn’t have really anyone working their security operations center, had minimal maturity when it came to threat intelligence, and had absolutely terrible leadership. When I presented my research, it caused a lot of people to get upset when I used the Russian advanced persistent threat example APT29 as an example use case. A month later I read an article about how APT29 was stealing their sensitive data.

This is a leadership issue. … There is so much bureaucratic in-fighting that it makes it impossible for anyone to do their jobs effectively.

We don’t need a cybersecurity coordinator at the White House. We need a cybersecurity chief drill instructor.

As does t0qer, who formerly worked at the Defense Dept, and now at the Department of Veterans Affairs:

Farts in the wind
[At] the agency I’m currently with … the Doctors are spoiled brats, and if they don’t get their way they’ll call the hospital director, who will call your area manager, and basically **** will roll downhill. At the DoD if someone didn’t get their mandatory training done, their PIV was turned off. [At the] VA that is completely tossed out the window.

I’d imagine it’s much of the same at these other agencies, but just not as scrutinized as the DoD. Some director somewhere basically screaming at IT to, “Just make it work, I don’t care.

Maybe if these other agencies had penalties as stiff as the DoD (ranging from an area manager being ousted to jail time in Leavenworth) maybe they would take their cyber seriously. Until some examples are made, this is nothing more than farts in the wind and will likely to continue ad infinitum.

And also NukemHill:

D’oh!
I worked as a contractor at the State Department a few years ago. At the time, they had a publicly facing server that had been hijacked and was sending out viruses. Every general meeting we had in IT, the subject came up.

The standard answer was, “We haven’t been able to shut it down yet. We don’t know how.” D’oh!

How to fix it? u/ShenmeNamaeSollich cuts to the chase:

GS-12
Pay more & make the jobs more attractive to better applicants. Federal IT jobs are filled either by lowest-bid contractors where execs take home most of the money while workers … top out around GS-12 barely $100K/yr.

Meanwhile, Fred Duck finds the silver lining:

On the plus side, a D is considered a passing grade.

And Finally:

TIL: Prince was a huge fan of “Little” Jimmy Scott

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Maria Thalassinou (via Unsplash)

Recent Articles By Author
More from Richi Jennings
Richi Jennings , , , , ,

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 604 posts and counting.See all posts by richi