recommended reading

Despite Spending $65 Billion on Cybersecurity, Agencies Neglect Basic Protections

Susan Walsh/AP File Photo

After spending at least $65 billion since 2006 to protect federal computers and networks from hackers, government agencies remain vulnerable, often because officials have neglected to perform basic security steps such as updating software, according to a report released Tuesday by a key Republican senator.

The study cites lapses at the very agencies responsible for protecting U.S. networks and sensitive data, including the Homeland Security Department and the Securities and Exchange Commission.

"Although it has steadily improved its overall cybersecurity performance, DHS is by no means a standard-setter," states the assessment by Sen. Tom Coburn, R-Okla., ranking Republican on the Homeland Security and Governmental Affairs Committee.

For example, in 2013, the Office of Management and Budget "found DHS rated below the governmentwide average for using antivirus software or other automated detection programs encrypting email, and security awareness training for network users,” the 19-page analysis notes.

The cases cited are drawn from reports by federal auditors, agency inspectors general and the media.

According to Reuters, a 2012 investigation found that an SEC team responsible for ensuring that markets safeguard their systems was itself negligent: “Members of the team took work computers home in order to surf the web, download music and movies, and other personal pursuits,” Coburn’s review stated. “They also appeared to have connected laptops containing sensitive information to unprotected Wi-Fi networks at public locations like hotels -- in at least one reported case, at a convention of computer hackers.”

While sophisticated hackers are typically behind breaches, they often exploit mundane weaknesses, particularly out-of-date software. In July, an outsider used that kind of known, fixable bug to steal private information about more than 100,000 Energy Department personnel. “The department’s inspector general blamed the theft in part on a piece of software that had not been updated in over two years, even though the department had purchased the upgrade,” Coburn’s report stated.

At the Nuclear Regulatory Commission, which catalogues details on nuclear facilities, there is such “a general lack of confidence” in the information technology division that NRC offices have effectively gone rogue by deploying their own computers and networks without telling the IT division, the commission’s IG noted in December 2013. 

Despite Coburn’s observations, NRC, the General Services Administration and DHS are tied for first place in the latest report card ranking agencies' compliance with federal cyber legislation, known as the 2002 Federal Information Security Management Act.

A spokeswoman for the committee’s Democratic leader said Chairman Sen. Tom Carper, D-Del., appreciates Coburn’s interest in federal information security and his work on the report, which Carper’s committee staff is still reviewing.

It "appears to reiterate some well-known security challenges identified in previous inspector general reports," she said.

Carper agrees with Coburn that Congress should reform FISMA, which was written more than a decade ago, the spokeswoman said.  The pair has “spent much of the past year trying to find areas where they can work together on bipartisan legislation to enhance our nation’s cybersecurity efforts,” she said. Carper “remains hopeful that they will soon come to agreement on bipartisan legislation to enhance our nation’s cyber security.”      

Administration officials declined to comment on the specifics of the just-released report but acknowledged that federal agencies face challenges securing their networks. Focusing resources on preempting threats and improving the government’s collective cyber posture is critical, White House spokeswoman Laura Lucas Magnuson said.

"Governmentwide, we have made cybersecurity one of our cross-agency priority goals, meaning that each federal agency must report back to the Office of Management and Budget about the IT assets it has in place to ensure that its networks are security configured and patched; that agencies are properly authenticating IT users; and that agencies are protecting their network perimeters using the best methods available," she said.  "We issue status updates on each quarter."

Get the Nextgov iPhone app to keep up with government technology news.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.