Connect with us

Hi, what are you looking for?



Senate Cybersecurity Report Highlights Government Failures

Last January, hackers gained access to U.S. Army Corps of Engineers computers and downloaded a database full of information about the country’s 85,000 dams — including sensitive information about each dam’s condition.

Last January, hackers gained access to U.S. Army Corps of Engineers computers and downloaded a database full of information about the country’s 85,000 dams — including sensitive information about each dam’s condition.

This was just one incident cited in a report released today by the Senate Homeland Security and Governmental Affairs Committee. According to Sen. Tom Coburn (R-OK), the government has done a poor job at protecting critical infrastructure.

“Weaknesses in the federal government’s own cybersecurity have put at risk the electrical grid, our financial markets, our emergency response systems and our citizens’ personal information,” said Coburn, in a statement.  “While politicians like to propose complex new regulations, massive new programs, and billions in new spending to improve cybersecurity, there are very basic – and critically important – precautions that could protect our infrastructure and our citizens’ private information that we simply aren’t doing.”

Government CybersecurityThe report bases its findings on issues made in more than 40 audits, investigations and reviews by agency Inspectors General, the Government Accountability Office and others. Some of the issues involved simple fixes like stronger passwords; others involved applying patches and updates more quickly to address vulnerabilities.

“In March 2012, IRS computers had 7,329 ‘potential vulnerabilities’ because critical software patches had not been installed on computer servers which needed them,” the report notes. “At one point in 2011, over a third of all computers at the IRS had software with critical vulnerabilities that were not patched. IRS officials said they expect critical patches to be installed within 72 hours. But TIGTA [Treasury Inspector General for Tax Administration] found it took the IRS 55 days, on average, to get around to installing critical patches. Most recently, in September 2013, TIGTA re-affirmed that the IRS still “has not yet fully implemented a process to ensure timely and secure installation of software patches.”

Every year since 2008, the General Accounting Office (GAO) has found approximately 100 cybersecurity holes at the IRS, with many of them repeated year after year.

Even the Nuclear Regulatory Commission [NRC] did not go unscathed. In the report, the committee notes that the NRC stored sensitive cybersecurity data for nuclear plants on an unprotected shared drive, making them vulnerable to hackers.

“These findings are not surprising,” Matt Standart, Threat Intelligence Director, HBGary told SecurityWeek. “They reflect the overall state of security in most, if not all, organizations.  Attackers are motivated to get in and they will do so by following the path of least resistance.  These paths, or vulnerabilities, are the result of poor policy and planning, lack of resources and integration, insufficient technology and execution, or overall plain human error and negligence.”

Advertisement. Scroll to continue reading.

There is also a larger issue at play here as well – personal responsibility, said TK Keanini, CTO of Lancope.

“The cybersecurity of the nation is everyone’s responsibility,” Keanini said. “The president’s call to action should be for everyone – all citizens of the nation and not just those associated with critical infrastructure.”

“The problem is that cybersecurity is an everyone and everything problem, not just this computer or that network because it is deemed critical infrastructure,” he added. “Yes, it is important to call these out and label them as such but in this hyper-connected world malicious intruders have hundreds of ways to go about their campaign and only one needs to work.”

*Additional reporting by Mike Lennon.

Related Reading: Military Database of U.S. Dams Compromised by Attackers

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


ENISA and CERT-EU warn of Chinese threat actors targeting businesses and government organizations in the European Union.