Interior faces 'disturbing' cyber risks due to cracked passwords and vulnerable assets

The Department of Interior is suffering from "disturbing" cybersecurity risks that pose major threats to federal networks and critical infrastructure, officials warned in congressional testimony Wednesday, as government information technology and operational technology systems face increased risks from malicious actors and foreign adversaries. 

Department of Interior Inspector General Mark Greenblatt told the House Committee on Natural Resources subcommittee on oversight and investigations Wednesday that his team successfully cracked more than 18,000 active department passwords as part of its January investigation. 

The associated report, published earlier this year, identified a series of sweeping challenges with the agency's password requirements and revealed that over 20% of the department's active passwords were easily susceptible to common hacking techniques employed by cybercriminals. 

"The results of our testing were troubling," Greenblatt told the House subcommittee. "The cracked passwords included hundreds of accounts that belonged to senior government officials, and hundreds more of accounts with elevated privileges."

According to the report, 99.99% of the cracked passwords met Interior's password complexity requirements, and nearly 90% of the department's high value assets did not enforce multifactor authentication, which means that some of the department's most important components lacked extra layers of protection, such as requiring a fingerprint, code or other additional verification to ensure enhanced security against unauthorized access.

Interior spends approximately $1.7 billion annually to maintain and operate its complex and interconnected portfolio of IT assets. The department is also tasked with addressing cyber risks that can impact critical infrastructure supporting offshore oil and gas production. 

Last year, the Government Accountability Office published a report that said Interior's Bureau of Safety and Environmental Enforcement had not fully incorporated privacy requirements into its enterprisewide risk management strategy, and had not implemented a strategy to address cybersecurity risks to offshore oil and gas infrastructure following the Colonial Pipeline ransomware attack in May 2021. 

"Absent such a strategy, oil and offshore gas infrastructure will continue to remain at significant risk from cyber threat actors," Marisol Cruz Cain, GAO director of IT and cybersecurity, told lawmakers. She added that the department has agreed with most of the GAO and IG findings and has outlined plans to address the issues. 

"It will be important for the department to follow through on their commitments to help ensure that the department is capable of both preventing and responding to the ongoing threats it faces," she added. 

Greenblatt recommended that the department begin fully enforcing the National Institute of Standards and Technology MFA requirements, adding: "Without requiring and enforcing MFA across its systems — including those that contain sensitive information — the department’s data remains at risk of unauthorized exposure."

The officials also recommended that Interior implement risk-based approaches to addressing cybersecurity issues impacting critical infrastructure and shift from passwords — which can be easily hacked — to passphrases, which allow users to leverage a string of unrelated words that are easy to remember but difficult for computers and cybercriminals to crack.