The “vast majority of federal agencies” have ineffective information security programs that risk the exposure of the critical government data, a Senate report published Tuesday found.
Agencies’ inspectors general assessing the federal government’s cybersecurity gave the largest agencies an overall grade of C- on an A to F scale, according to the Senate Homeland Security and Governmental Affairs Committee’s survey.
The worst score of D went to several agencies, including the Commerce, Education, State, Transportation, and Veterans Affairs departments as well as NASA, the Office of Personnel Management and the Social Security Administration.
Report authors Sens. Rob Portman, Ohio Republican, and Gary Peters, Michigan Democrat, wrote that no agency received an A for its cybersecurity program.
“This report shows a sustained failure to address cybersecurity vulnerabilities at our federal agencies, a failure that leaves national security and sensitive personal information open to theft and damage by increasingly sophisticated hackers,” Mr. Portman said in a statement. “I am concerned that many of these vulnerabilities have been outstanding for the better part of a decade — the American people deserve better.”
The poor grades reflect the federal government’s inability to adequately protect personal information, the failure to wall off unauthorized users from sensitive systems, and to update their technology or maintain an inventory of their information technology.
The weaknesses of the federal government’s cybersecurity have received renewed scrutiny in the wake of the SolarWinds hack of computer network management software that compromised nine federal agencies and was detected last year. The Biden administration blamed the Russian Foreign Intelligence Service (SVR) for the SolarWinds hacking campaign, and the Senate report makes clear that cyberespionage inside the government is accessible to far less sophisticated actors.
“For example, State Department was not able to provide documentation of user access agreements for 60% of the sample employees tested with access to the department’s classified network. This network contains data which if disclosed to an unauthorized person could cause ‘grave damage to national security,’” read the report. “Perhaps more troubling, [the State Department] failed to shut off thousands of accounts after extended periods of inactivity on both its classified and sensitive but unclassified networks.”
Some employees who were fired, quit or retired still had access to their government accounts five months days after they left the State Department, according to the report.
Agencies that scored relatively higher marks also have experienced cybersecurity challenges. For example, the U.S. Agency for International Development (USAID) received a B in the Senate report. In May 2021, Microsoft said it observed hackers breaching USAID systems to target 3,000 email accounts at more than 150 organizations.
Microsoft said the cyberattackers responsible for the SolarWinds hack were also behind the hacking campaign targeting USAID’s Constant Contact account. Constant Contact is a company that makes email marketing software.
The full picture of sensitive government information exposed to hackers is unclear. On Friday, the Justice Department disclosed that the SolarWinds hack also compromised email accounts across 27 different U.S. Attorneys offices, including in Washington and New York.
A White House spokesperson said federal agencies had failed to address their information security weaknesses for decades and maintained that the Biden administration is now taking action to address the problem.
The spokesperson pointed to the Biden administration included money for cybersecurity modernization efforts in the coronavirus relief package enacted this year, including $1 billion for a tech modernization fund and $650 million for the Cybersecurity and Infrastructure Security Agency.
The spokesperson also said the administration is implementing President Biden’s executive order from May on cybersecurity, designed to improve guidelines for government vendors and to develop a framework for federal civilian agencies to follow in using cloud services, among other things.
Mr. Portman said he will offer new legislation to better protect Americans’ data, and Mr. Peters, who chairs the homeland security panel, said he would work with the Ohio Republican to ensure that federal agencies change their cybersecurity practices.