In 2020, Russia-linked attackers breached nine government agencies by modifying a security patch for SolarWinds' network-management software. In 2021, another campaign — this time by China-linked attackers — compromised networks at multiple federal agencies by using a vulnerability in Pulse Connect Secure, a virtual private networking product.
Despite these successful attacks — along with an 8% increase in attempted attacks against the US government and a 2019 report documenting cybersecurity failures across federal agencies — an assessment released this week by the US Senate found the agencies have made little cybersecurity progress in the past two years. From failing to consistently apply critical patches to operating unsupported legacy systems, a variety of issues continue to affect their cybersecurity posture, the report states.
The details are "unnerving," says Doug Britton, CEO of Haystack Solutions, a provider of cybersecurity workforce services.
"These agencies deal with data that reaches the heart of what helps our country work, regulating transportation, research, and social services," he says. "It is startling to see how basic cyber protections are still not yet in place as we continue to see significant breaches making headlines."
In the "Federal Cybersecurity: America's Data Still At Risk" report, the US Senate Committee on Homeland Security and Governmental Affairs graded the departments of State, Transportation, Education, and the Social Security Administration a "D" for cybersecurity. The departments of Housing and Urban Development, Agriculture, and Health and Human Services each received a "C." The highest grade for cybersecurity, a "B," went to the Department of Homeland Security (DHS). Among the major issues, several agencies, including the State Department, did not deactivate former employees' accounts, allowing access for extended periods of time after the workers left government service.
In many ways the findings are not new, says Jamie Lewis, a venture partner at cybersecurity investment firm Rain Capital. Previous reports released by the Government Accountability Office and other agencies have spotlighted the US government's shortfalls in protecting data.
"[G]overnment agencies must develop a comprehensive and centralized strategy for national cybersecurity," Lewis says. "That includes the implementation of government-wide cybersecurity initiatives and addressing weaknesses in federal agency information security programs."
Every department of the federal government has had significant cybersecurity issues. DHS, for example, used an unsupported version of Microsoft Windows on 184 workstations, a problem that has lasted through at least six different audits under the seven-year-old Federal Information Security Modernization Act (FISMA). Meanwhile, a test of 10 systems used in the Department of State found 450 critical-risk vulnerabilities and 736 high-risk issues, failing to meet the department's own policies. Finally, the Department of Transportation failed to account for and monitor nearly 15,000 IT assets, including more than 2,800 workstations and 4,800 servers.
The report's assessment of the federal agencies garnered a variety of responses from security professionals. The security issues are not unsolvable, especially with a focus on identity and access management, says Rajiv Pimplaskar, chief revenue officer at Veridium, a provider of integrated identity services.
"Since cybersecurity investment often lags cybercrime, such lapses are not unusual in the federal and commercial sector," he says. "As the report indicates, systems housing user data or personally identifiable information (PII) are especially vulnerable as they present bad actors with a honeypot of valuable information."
Yet cybersecurity is a race and the US government continually fails to keep up with attackers, says Kevin Jones, vice president of public sector for Virsec, a provider of cloud-workload protection services..
"The adversary has changed — they’ve gotten better, they’re faster, determined as ever, they have better training, and they have more money," he says. "So the divide between us and them has actually grown since 2019 due to the adversaries’ determined and often successful efforts on government systems that are largely status quo."
The recommendations set out by the US Senate Committee on Homeland Security and Governmental Affairs include calling on the Office of Management and Budget (OMB) to create a risk-based budgeting model to determine whether certain technologies should be adopted, centralize coordination of cybersecurity across government agencies, and calling on the Cybersecurity and Infrastructure Security Agency (CISA) to expand the security services offered to other agencies.
The report calls on Congress to revise FISMA to update best practices, require incident reporting, and formalize CISA's central role for cybersecurity in the federal government.