Federal Agencies Fail to Secure Systems: Report
The U.S. Department of Homeland Security, Department of Energy and other government agencies have serious security shortfalls—from weak passwords to failures in patching critical software—that have left the agencies vulnerable to attack, according a report issued Feb. 4 by the minority staff of the U.S. Senate Homeland Security and Governmental Affairs Committee.
The report, published by Sen. Tom Coburn (R.-Md.) and compiled from public sources, found that U.S. agencies had major concerns about the most basic security controls: software updating, weak and default passwords, poorly secured Websites and failure to report breaches. The government agencies are so busy preparing reports and satisfying auditors that they are not locking down the most critical security issues, Alan Paller, director of research for the SANS Institute, a security education and training organization, told eWEEK.
By highlighting those issues, the report should call attention to the need for better security processes, he said. "The report is the best summary I have seen of the government's failure to establish a high standard and to lead by example," he said.
Cyber-security incidents included the Nuclear Regulatory Commission storing data on publicly accessible hard drives, the Security and Exchange Commission exposing data about the networks supporting the New York Stock Exchange and hackers stealing personal information on more than 100,000 people from the Department of Energy. Other agencies affected by similar security issues include NASA, the Food and Drug Administration, the Federal Reserve, the U.S. Copyright Office and the Departments of Homeland Security, Justice, Defense, State, Labor and Commerce.
Considering its responsibility for leading the government's efforts to secure networks, the DHS' failures are particularly egregious, the report stated.
"Since it was selected to shoulder the profound responsibility of overseeing the security of all unclassified federal networks, one might expect DHS' cyber protections to be a model for other agencies, or that the department had demonstrated an outstanding competence in the field," the report stated. "But a closer look at DHS' efforts to secure its own systems reveals that the department suffers from many of the same shortcomings found at other government agencies."
The reported noted that the Office of Management and Budget found that the DHS deployed less security software, encryption and security awareness training than the average of other government agencies. The agency is also behind on plans to lock down its communications: The DHS aimed to have 95 percent of all communications routed through specific trusted Internet connections (TICs), but so far, only 72 percent of traffic flows through the TICs.
The government has spent at least $65 billion on computer security since 2006, according to the Congressional Research Office (CRO). Until government agencies focus on what really matters, more money will be wasted, Paller said.
"As long as the agencies are being driven by their auditors to focus on important but not 'most important' controls, the federal government will continue to be easy pickings and a bad example for the nation," he said.