Despite Spending $65 Billion on Cybersecurity, Agencies Neglect Basic Protections

After spending at least $65 billion since 2006 to protect federal computers and networks from hackers, government agencies remain vulnerable, often because officials have neglected to perform basic security steps such as updating software, according to a report released Tuesday by a key Republican senator.

The study cites lapses at the very agencies responsible for protecting U.S. networks and sensitive data, including the Homeland Security Department and the Securities and Exchange Commission.

"Although it has steadily improved its overall cybersecurity performance, DHS is by no means a standard-setter," states the assessment by Sen. Tom Coburn, R-Okla., ranking Republican on the Homeland Security and Governmental Affairs Committee.

For example, in 2013, the Office of Management and Budget "found DHS rated below the governmentwide average for using antivirus software or other automated detection programs encrypting email, and security awareness training for network users,” the 19-page analysis notes.

The cases cited are drawn from reports by federal auditors, agency inspectors general and the media.

According to Reuters, a 2012 investigation found that an SEC team responsible for ensuring that markets safeguard their systems was itself negligent: “Members of the team took work computers home in order to surf the web, download music and movies, and other personal pursuits,” Coburn’s review stated. “They also appeared to have connected laptops containing sensitive information to unprotected Wi-Fi networks at public locations like hotels -- in at least one reported case, at a convention of computer hackers.”

While sophisticated hackers are typically behind breaches, they often exploit mundane weaknesses, particularly out-of-date software. In July, an outsider used that kind of known, fixable bug to steal private information about more than 100,000 Energy Department personnel. “The department’s inspector general blamed the theft in part on a piece of software that had not been updated in over two years, even though the department had purchased the upgrade,” Coburn’s report stated.

At the Nuclear Regulatory Commission, which catalogues details on nuclear facilities, there is such “a general lack of confidence” in the information technology division that NRC offices have effectively gone rogue by deploying their own computers and networks without telling the IT division, the commission’s IG noted in December 2013. 

Despite Coburn’s observations, NRC, the General Services Administration and DHS are tied for first place in the latest report card ranking agencies' compliance with federal cyber legislation, known as the 2002 Federal Information Security Management Act.

A spokeswoman for the committee’s Democratic leader said Chairman Sen. Tom Carper, D-Del., appreciates Coburn’s interest in federal information security and his work on the report, which Carper’s committee staff is still reviewing.

It "appears to reiterate some well-known security challenges identified in previous inspector general reports," she said.

Carper agrees with Coburn that Congress should reform FISMA, which was written more than a decade ago, the spokeswoman said.  The pair has “spent much of the past year trying to find areas where they can work together on bipartisan legislation to enhance our nation’s cybersecurity efforts,” she said. Carper “remains hopeful that they will soon come to agreement on bipartisan legislation to enhance our nation’s cyber security.”      

Administration officials declined to comment on the specifics of the just-released report but acknowledged that federal agencies face challenges securing their networks. Focusing resources on preempting threats and improving the government’s collective cyber posture is critical, White House spokeswoman Laura Lucas Magnuson said.

"Governmentwide, we have made cybersecurity one of our cross-agency priority goals, meaning that each federal agency must report back to the Office of Management and Budget about the IT assets it has in place to ensure that its networks are security configured and patched; that agencies are properly authenticating IT users; and that agencies are protecting their network perimeters using the best methods available," she said.  "We issue status updates on Performance.gov each quarter."

Get the Nextgov iPhone app to keep up with government technology news.