Federal Agencies Fail to Meet Basic Cybersecurity Standards

The Senate Homeland Security and Government Affairs Permanent Subcommittee on Investigations issued a stark bipartisan report this week on the federal government’s cybersecurity failings. The report noted that more than five years after a landmark attack, in which Chinese hackers infiltrated the computer systems of Office of Personnel Management to steal the personnel files of over 22 million federal employees, the government’s ability to prevent malicious actors from exploiting the data of American citizens to harm U.S. national security is still woefully inadequate.

The subcommittee found that over the past decade, the eight federal agencies it investigated have consistently failed to protect personally identifiable information and to detect, respond to, and recover from cybersecurity incidents. The agencies are not implementing timely patches to fix known software vulnerabilities. They are also relying on legacy systems such as Windows XP, for which Microsoft stopped providing security updates more than five years ago.

The data that federal agencies are leaving exposed have significant national security implications. As the Senate report notes, the Department of Education has financial records of students and parents applying for college loans. The Department of Housing and Urban Development likewise has the financial information of homebuyers applying for mortgages. Malicious cyber actors can target these agencies’ vulnerable systems, exfiltrate the targeted information, and use it to trick unsuspecting citizens into downloading malware disguised as loan information. Meanwhile, nation-state actors could use the information to determine who is experiencing financial difficulties and therefore might be willing to compromise U.S. national security for the right price. Former National Counterintelligence Executive Michelle Van Cleave warned that China could similarly use the OPM data “to coerce, blackmail or recruit U.S. sources or simply enable personalized phishing schemes.”

At the same time, the Department of Transportation retains information on aircraft designs, operations, and flight tests because of its responsibility to regulate aviation safety – the kind of information a terrorist organization might find very valuable. The Department of Agriculture collects information on pathogens and toxins that in the wrong hands could threaten American food supplies. These agencies are not traditionally considered national security agencies, but their cybersecurity – or lack thereof – has serious national security implications.

The Senate report contains a number of recommendations for how agencies can improve their cybersecurity posture. At the most basic level, the federal government needs to move away from legacy systems and ensure that system patches are installed in a timely manner. Sometimes experts test software updates in a controlled environment before pushing the patch onto the rest of their network. But while this delay is sometimes necessary to prevent unforeseen errors in bespoke systems, it does not explain findings from the report, such as the Department of Homeland Security’s failure “to properly apply security patches for the last ten consecutive years.”

As the United States is stepping up its own use of cyber weapons – as reflected in recent reports of cyber operations targeting Iranian military systems – Washington must focus on defensive measures as well. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, for example, is doing important work to protect government systems and interface with the private sector. But other offices in the department are not properly storing sensitive data. All federal agencies and personnel must recognize that cybersecurity is critical to their mission and to the national security of the United States. It is not merely the IT department’s problem.

Annie Fixler is the deputy director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD), where Trevor Logan is a cyber research associate. Follow Annie and Trevor on Twitter @afixler and @TrevorLoganFDD. Follow FDD on Twitter @FDD. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.