Last January, hackers gained access to U.S. Army Corps of Engineers computers and downloaded a database full of information about the country’s 85,000 dams — including sensitive information about each dam’s condition.
This was just one incident cited in a report released today by the Senate Homeland Security and Governmental Affairs Committee. According to Sen. Tom Coburn (R-OK), the government has done a poor job at protecting critical infrastructure.
“Weaknesses in the federal government’s own cybersecurity have put at risk the electrical grid, our financial markets, our emergency response systems and our citizens’ personal information,” said Coburn, in a statement. “While politicians like to propose complex new regulations, massive new programs, and billions in new spending to improve cybersecurity, there are very basic – and critically important – precautions that could protect our infrastructure and our citizens’ private information that we simply aren’t doing.”
The report bases its findings on issues made in more than 40 audits, investigations and reviews by agency Inspectors General, the Government Accountability Office and others. Some of the issues involved simple fixes like stronger passwords; others involved applying patches and updates more quickly to address vulnerabilities.
“In March 2012, IRS computers had 7,329 ‘potential vulnerabilities’ because critical software patches had not been installed on computer servers which needed them,” the report notes. “At one point in 2011, over a third of all computers at the IRS had software with critical vulnerabilities that were not patched. IRS officials said they expect critical patches to be installed within 72 hours. But TIGTA [Treasury Inspector General for Tax Administration] found it took the IRS 55 days, on average, to get around to installing critical patches. Most recently, in September 2013, TIGTA re-affirmed that the IRS still “has not yet fully implemented a process to ensure timely and secure installation of software patches.”
Every year since 2008, the General Accounting Office (GAO) has found approximately 100 cybersecurity holes at the IRS, with many of them repeated year after year.
Even the Nuclear Regulatory Commission [NRC] did not go unscathed. In the report, the committee notes that the NRC stored sensitive cybersecurity data for nuclear plants on an unprotected shared drive, making them vulnerable to hackers.
“These findings are not surprising,” Matt Standart, Threat Intelligence Director, HBGary told SecurityWeek. “They reflect the overall state of security in most, if not all, organizations. Attackers are motivated to get in and they will do so by following the path of least resistance. These paths, or vulnerabilities, are the result of poor policy and planning, lack of resources and integration, insufficient technology and execution, or overall plain human error and negligence.”
There is also a larger issue at play here as well – personal responsibility, said TK Keanini, CTO of Lancope.
“The cybersecurity of the nation is everyone’s responsibility,” Keanini said. “The president’s call to action should be for everyone – all citizens of the nation and not just those associated with critical infrastructure.”
“The problem is that cybersecurity is an everyone and everything problem, not just this computer or that network because it is deemed critical infrastructure,” he added. “Yes, it is important to call these out and label them as such but in this hyper-connected world malicious intruders have hundreds of ways to go about their campaign and only one needs to work.”
*Additional reporting by Mike Lennon.
Related Reading: Military Database of U.S. Dams Compromised by Attackers