Government agencies in the United States are often failing to implement even the most basic deterrents that would boost their cybersecurity efforts, a new Senate report found.
According to the report – authored by Senator Tom Coburn (R-Okla.) and staff members at the Homeland Security and Governmental Affairs Committee – numerous federal agencies are leaving themselves open to cyberattacks simply by declining to fix simple, straightforward network problems.
The new findings surfaced despite the fact that the United States has boosted spending on cybsersecurity. Roughly $65 billion has been spent on securing computers and networks since 2006, the survey stated, but agencies “continue to leave themselves vulnerable, often by failing to take the most basic steps towards securing their systems and information.” One disturbing example was the lack of strong passwords in the government networks; a common key code was simply the word “password.”
Deficiencies in federal systems spanned multiple agencies, including those housing sensitive information such as the Nuclear Regulatory Commission, the Securities and Exchange Commission, and the Internal Revenue Service.
Even the Department of Homeland Security, which is responsible for supervising the security of all unclassified federal networks, is apparently lacking in its preparation. The report found “hundreds of vulnerabilities” on its systems, including “failures to update basic software [anti-virus programs, Microsoft Office, etc.]...the sort of basic security measure just about any American with a computer has performed.”
“None of the other agencies want to listen to Homeland Security when they aren’t taking care of their own systems,” Coburn, the ranking Republican on the committee that drafted the report, told The Washington Post. “They aren’t even doing the simple stuff.”
Some security breaches have been chalked up to pranks, such as last year’s hack that used the Emergency Broadcast System to air messages warning of zombie attacks in Michigan, Montana, and North Dakota.
Others have been more serious. A year ago, hackers stole a database of information regarding the United States’ 85,000 dams, including the “potential for fatalities if breached.” Meanwhile, the report found the Nuclear Regulatory Commission routinely stored security information for nuclear plants on a shared, unprotected drive. The SEC risked disaster as well, exposing sensitive information about the stock market’s systems and security.
In addition to these cases, more than 48,000 other “incidents” involving federal systems were reported to the DHS in the 2012 fiscal year. To make matters even more worrying, federal tests found that civilian agencies don’t detect about 40 percent of intrusions into their networks.
In the face of the Senate report, the White House acknowledged there’s still more work to be done in order for federal agencies to secure their networks.
“Almost every agency faces a cybersecurity challenge,” Michael Daniel, special assistant to the president on cybersecurity policy, said to the Post. “Some are farther along than others in driving awareness of it. It often depends on whether they’ve been in the crosshairs of a major cyber incident.”
Over the course of the past year, US officials have warned that cyberattacks now constitute the number one security threat to the country, and that China in particular has been responsible for a new digital offensive. In a particularly troubling case for the US, Chinese hackers were able to access sensitive information regarding some of the country’s most sophisticated weaponry.
China, for its part, adamantly denies the accusations. It claims to have “mountains of data” detailing attacks from the United States, and regards the US itself as the leading digital hacker.