recommended reading

Despite Spending $65 Billion on Cybersecurity, Agencies Neglect Basic Protections

Susan Walsh/AP File Photo

After spending at least $65 billion since 2006 to protect federal computers and networks from hackers, government agencies remain vulnerable, often because officials have neglected to perform basic security steps such as updating software, according to a report released Tuesday by a key Republican senator.

The study cites lapses at the very agencies responsible for protecting U.S. networks and sensitive data, including the Homeland Security Department and the Securities and Exchange Commission.

"Although it has steadily improved its overall cybersecurity performance, DHS is by no means a standard-setter," states the assessment by Sen. Tom Coburn, R-Okla., ranking Republican on the Homeland Security and Governmental Affairs Committee.

For example, in 2013, the Office of Management and Budget "found DHS rated below the governmentwide average for using antivirus software or other automated detection programs encrypting email, and security awareness training for network users,” the 19-page analysis notes.

The cases cited are drawn from reports by federal auditors, agency inspectors general and the media.

According to Reuters, a 2012 investigation found that an SEC team responsible for ensuring that markets safeguard their systems was itself negligent: “Members of the team took work computers home in order to surf the web, download music and movies, and other personal pursuits,” Coburn’s review stated. “They also appeared to have connected laptops containing sensitive information to unprotected Wi-Fi networks at public locations like hotels -- in at least one reported case, at a convention of computer hackers.”

While sophisticated hackers are typically behind breaches, they often exploit mundane weaknesses, particularly out-of-date software. In July, an outsider used that kind of known, fixable bug to steal private information about more than 100,000 Energy Department personnel. “The department’s inspector general blamed the theft in part on a piece of software that had not been updated in over two years, even though the department had purchased the upgrade,” Coburn’s report stated.

At the Nuclear Regulatory Commission, which catalogues details on nuclear facilities, there is such “a general lack of confidence” in the information technology division that NRC offices have effectively gone rogue by deploying their own computers and networks without telling the IT division, the commission’s IG noted in December 2013. 

Despite Coburn’s observations, NRC, the General Services Administration and DHS are tied for first place in the latest report card ranking agencies' compliance with federal cyber legislation, known as the 2002 Federal Information Security Management Act.

A spokeswoman for the committee’s Democratic leader said Chairman Sen. Tom Carper, D-Del., appreciates Coburn’s interest in federal information security and his work on the report, which Carper’s committee staff is still reviewing.

It "appears to reiterate some well-known security challenges identified in previous inspector general reports," she said.

Carper agrees with Coburn that Congress should reform FISMA, which was written more than a decade ago, the spokeswoman said.  The pair has “spent much of the past year trying to find areas where they can work together on bipartisan legislation to enhance our nation’s cybersecurity efforts,” she said. Carper “remains hopeful that they will soon come to agreement on bipartisan legislation to enhance our nation’s cyber security.”      

Administration officials declined to comment on the specifics of the just-released report but acknowledged that federal agencies face challenges securing their networks. Focusing resources on preempting threats and improving the government’s collective cyber posture is critical, White House spokeswoman Laura Lucas Magnuson said.

"Governmentwide, we have made cybersecurity one of our cross-agency priority goals, meaning that each federal agency must report back to the Office of Management and Budget about the IT assets it has in place to ensure that its networks are security configured and patched; that agencies are properly authenticating IT users; and that agencies are protecting their network perimeters using the best methods available," she said.  "We issue status updates on Performance.gov each quarter."

Get the Nextgov iPhone app to keep up with government technology news.

Threatwatch Alert

Accidentally leaked credentials / Software vulnerability

Cloudflare Bug Leaked Passwords, Dating Chats and Other Sensitive Info for Months

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.