White House: Federal Agencies Remain Highly Vulnerable to Data Breaches Three Years After OPM

Many federal agencies don’t know how hackers are targeting them, can’t tell when hackers steal large amounts of their data and aren’t efficiently spending the cybersecurity money they have, according to a report and action plan released last week.

Roughly three-quarters of federal agencies’ cybersecurity programs are currently “at risk” or “at high risk,” according to the report, which was mandated in a 2017 executive order from President Donald Trump.

That order stated that top agency leaders would be held responsible for preventable cyber incidents that happened on their watch. Yet, most agencies, when polled, “did not, or could not, elaborate in detail on leadership engagement above the [chief information officer] level,” this month’s review found.

The review comes nearly three years after the Office of Personnel Management data breach, in which hackers compromised sensitive security clearance information about more than 20 million current and former federal employees.

The OPM breach prompted a “cyber surge” and numerous other efforts to shore up government networks and data, but those efforts haven’t produced the hoped-for results, according to the report.  

In fact, only 27 percent of agencies can detect and investigate attempts to access large amounts of their data and only 40 percent of agencies can detect when a user copies or removes massive encrypted data caches, the report found.

“Simply put, agencies cannot detect when large amounts of information leave their networks, which is particularly alarming in the wake of some of the high-profile incidents across government and industry in recent years,” the report states.

In 38 percent of cases, agencies couldn’t even identify the attack method of a breach that had already occurred, the report found.

“The current situation is untenable,” the report states, “as agencies lack both the visibility into their networks to determine the occurrence of cybersecurity incidents and the ability to minimize the impact of an incident if one is detected.”

The action plan portion of the report lists four main priorities: increasing cybersecurity awareness among federal employees; standardizing IT and cybersecurity tools across government; consolidating agency cyber operations to improve detection and response to cyber incidents; and making agencies and agency leadership more accountable for cybersecurity.

The report also lists a handful of other cyber vulnerabilities that the Office of Management and Budget will prioritize fixing. Among those:

• Agencies are relying on a slew of different tools and lists to manage which employees and contractors are authorized to access particular systems and datasets, leading to confusion that could be exploited by an attacker.
• The slow pace of consolidating government email services makes it extremely difficult to secure agencies against phishing attacks.
• Agencies are using multiple versions of the same software and using software with overlapping functionalities, massively increasing the number of possible software vulnerabilities they must contend with.