recommended reading

Despite Spending $65 Billion on Cybersecurity, Agencies Neglect Basic Protections

Susan Walsh/AP File Photo

After spending at least $65 billion since 2006 to protect federal computers and networks from hackers, government agencies remain vulnerable, often because officials have neglected to perform basic security steps such as updating software, according to a report released Tuesday by a key Republican senator.

The study cites lapses at the very agencies responsible for protecting U.S. networks and sensitive data, including the Homeland Security Department and the Securities and Exchange Commission.

"Although it has steadily improved its overall cybersecurity performance, DHS is by no means a standard-setter," states the assessment by Sen. Tom Coburn, R-Okla., ranking Republican on the Homeland Security and Governmental Affairs Committee.

For example, in 2013, the Office of Management and Budget "found DHS rated below the governmentwide average for using antivirus software or other automated detection programs encrypting email, and security awareness training for network users,” the 19-page analysis notes.

The cases cited are drawn from reports by federal auditors, agency inspectors general and the media.

According to Reuters, a 2012 investigation found that an SEC team responsible for ensuring that markets safeguard their systems was itself negligent: “Members of the team took work computers home in order to surf the web, download music and movies, and other personal pursuits,” Coburn’s review stated. “They also appeared to have connected laptops containing sensitive information to unprotected Wi-Fi networks at public locations like hotels -- in at least one reported case, at a convention of computer hackers.”

While sophisticated hackers are typically behind breaches, they often exploit mundane weaknesses, particularly out-of-date software. In July, an outsider used that kind of known, fixable bug to steal private information about more than 100,000 Energy Department personnel. “The department’s inspector general blamed the theft in part on a piece of software that had not been updated in over two years, even though the department had purchased the upgrade,” Coburn’s report stated.

At the Nuclear Regulatory Commission, which catalogues details on nuclear facilities, there is such “a general lack of confidence” in the information technology division that NRC offices have effectively gone rogue by deploying their own computers and networks without telling the IT division, the commission’s IG noted in December 2013. 

Despite Coburn’s observations, NRC, the General Services Administration and DHS are tied for first place in the latest report card ranking agencies' compliance with federal cyber legislation, known as the 2002 Federal Information Security Management Act.

A spokeswoman for the committee’s Democratic leader said Chairman Sen. Tom Carper, D-Del., appreciates Coburn’s interest in federal information security and his work on the report, which Carper’s committee staff is still reviewing.

It "appears to reiterate some well-known security challenges identified in previous inspector general reports," she said.

Carper agrees with Coburn that Congress should reform FISMA, which was written more than a decade ago, the spokeswoman said.  The pair has “spent much of the past year trying to find areas where they can work together on bipartisan legislation to enhance our nation’s cybersecurity efforts,” she said. Carper “remains hopeful that they will soon come to agreement on bipartisan legislation to enhance our nation’s cyber security.”      

Administration officials declined to comment on the specifics of the just-released report but acknowledged that federal agencies face challenges securing their networks. Focusing resources on preempting threats and improving the government’s collective cyber posture is critical, White House spokeswoman Laura Lucas Magnuson said.

"Governmentwide, we have made cybersecurity one of our cross-agency priority goals, meaning that each federal agency must report back to the Office of Management and Budget about the IT assets it has in place to ensure that its networks are security configured and patched; that agencies are properly authenticating IT users; and that agencies are protecting their network perimeters using the best methods available," she said.  "We issue status updates on Performance.gov each quarter."

Get the Nextgov iPhone app to keep up with government technology news.

Threatwatch Alert

Stolen laptop

Wireless Heart Monitor Maker to Pay $2.5M Settlement to HHS After Laptop Stolen

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.