Federal Agencies Fail to Secure Systems: Report
A report compiled by one senator's staff finds major security problems at government agencies, including weak passwords, unpatched software and other issues.The U.S. Department of Homeland Security, Department of Energy and other government agencies have serious security shortfalls—from weak passwords to failures in patching critical software—that have left the agencies vulnerable to attack, according a report issued Feb. 4 by the minority staff of the U.S. Senate Homeland Security and Governmental Affairs Committee. The report, published by Sen. Tom Coburn (R.-Md.) and compiled from public sources, found that U.S. agencies had major concerns about the most basic security controls: software updating, weak and default passwords, poorly secured Websites and failure to report breaches. The government agencies are so busy preparing reports and satisfying auditors that they are not locking down the most critical security issues, Alan Paller, director of research for the SANS Institute, a security education and training organization, told eWEEK. By highlighting those issues, the report should call attention to the need for better security processes, he said. "The report is the best summary I have seen of the government's failure to establish a high standard and to lead by example," he said. Cyber-security incidents included the Nuclear Regulatory Commission storing data on publicly accessible hard drives, the Security and Exchange Commission exposing data about the networks supporting the New York Stock Exchange and hackers stealing personal information on more than 100,000 people from the Department of Energy. Other agencies affected by similar security issues include NASA, the Food and Drug Administration, the Federal Reserve, the U.S. Copyright Office and the Departments of Homeland Security, Justice, Defense, State, Labor and Commerce.
Considering its responsibility for leading the government's efforts to secure networks, the DHS' failures are particularly egregious, the report stated.