Government Meets Cybersecurity Threats with Indifference and a “D”

Posted July 21, 2015

In Congressional Testimony, a Senior Government Auditor Gave Federal Cybersecurity Efforts a “D” on a Scale of “A” to “F”

If you’ve ever been to a Department of Motor Vehicles — any DMV anywhere — and seen bureaucracy in action (or bureaucracy inaction) it should come as no surprise that despite the many warnings and breaches government agencies have suffered, they are still woefully unprepared.

In a nytimes.com article by Michael D. Shear and Nicole Perlroth, experts said “federal computer networks…are cobbled together with out-of-date equipment and defended with the software equivalent of Bubble Wrap.” The question is why, which is what the Shear and Perlroth piece attempts to answer. The following has been excerpted from the nytimes.com story and edited to fit our format. You may find the complete article by clicking on this link.

After the Office of Personnel Management breach that compromised 21 million individuals’ personal information, there’s some progress…sort of

At some agencies, 100 percent of users are, for the first time, logging in with two-factor authentication… Security holes that have lingered for years despite obvious fixes are being patched. And thousands of low-level employees and contractors with access to the nation’s most sensitive secrets have been cut off.

Well at least it wasn’t an “F”

Asked in congressional testimony this month to grade the federal government’s cybersecurity efforts on a scale of A to F, a senior government auditor gave the government a D.

A low priority commitment

Despite high-profile incidents, including the theft of secrets by the national security contractor Edward J. Snowden, many government agencies have demonstrated little commitment to making cybersecurity a priority.

After neglect that has been documented in dozens of audits for nearly two decades, the federal government is still far behind its adversaries. And it is still struggling to procure the latest technological defenses or attract the kind of digital security expertise necessary to secure its networks.

The plane truth

A January audit of the Federal Aviation Administration cited “significant security control weaknesses” in the agency’s network, “placing the safe and uninterrupted operation of the nation’s air traffic control system at increased and unnecessary risk.” But that agency had been warned for years that its computer networks were wide open to attack. In 2009, hackers stole personal information for 48,000 agency employees, prompting an investigation that found 763 high-risk vulnerabilities — any one of which, auditors said, could give attackers access to the computers that run the air traffic control system.

[Michael Brown, who served as the FAA’s chief information security officer said, “You come up with binders full of documentation, and then at the end of the day, you don’t have any money to go back and ameliorate. The system could be hanging out there for a long time with a vulnerability.”

Lacking DOE security

At the Department of Energy, after other breaches there, a hacker spent a month stealing personnel records from an unencrypted database in the summer of 2013. By the time Robert F. Brese, the department’s top cybersecurity official, was notified, the hacker had drained 104,000 names, addresses and Social Security numbers from its systems. “It was just this sickening feeling in my stomach,” Mr. Brese, now a consultant, recalled.

In the days that followed, investigators found numerous holes in the Energy Department’s network that contained sensitive information on nuclear propulsion and critical infrastructure. Government auditors slammed the department for lax security controls, lack of encryption and a failure to patch known vulnerabilities.

And while that could have served as an early warning, the breach was met with a shrug at other agencies.

IRS faces audit, comes up short

At the Internal Revenue Service, auditors identified 69 vulnerabilities in the agency’s networks last year, but when officials there told Government Accountability Office auditors this year that they had fixed 24 of those problems, investigators found only 14 had been resolved.

“That’s been a recurring theme,” said Gregory C. Wilshusen, the Government Accountability Office’s top computer systems investigator. “They believe they’ve taken corrective actions, but when one goes back to check, we find that they haven’t.

67,000 computer-related incidents last year

The dangers are accelerating as hackers repeatedly target computer networks used to collect taxes, secure ports and airports, run air traffic control systems, process student loans, oversee the nation’s nuclear stockpile, monitor the Federal Reserve and support the armed services. Last year, officials say, there were more than 67,000 computer-related incidents at federal agencies, up from about 5,000 in 2006.

Congress getting into the “enact”

Lawmakers are considering legislation to require sharing of information about malicious hacks and to set cybersecurity standards for federal systems. “This is going to have to be an area of much greater focus,” said Senator Mark R. Warner, Democrat of Virginia, a supporter of the legislation.

“Begging” for approval

Department of Homeland Security officials must continually trek to Capitol Hill for approval of the most mundane organizational shifts. “I thought my head would blow off when I had to get approval from people who had no idea what we were doing,” said Mark Weatherford, the former deputy under secretary for cybersecurity at the Department of Homeland Security.

Losing talent to the private sector

The [Department of Homeland Security] has had a hard time competing with the likes of Google, start-ups and other agencies for top talent…. Eric Cornelius, a graduate of the program who served as Homeland Security’s deputy director and chief technical analyst for its control systems security program, stayed only 18 months before leaving for Cylance, a security start-up. He said hiring was only half the problem. ‘The other half of the problem is the need to address firing reform,” Mr. Cornelius said. “In my experience, complacency is the enemy of competency.”

ThreatMetrix

ThreatMetrix

close btn