Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

Senate Report Shows Decade-Long Failure of Gov Agencies to Protect Personal Data

A new report from the U.S. Senate’s Committee on Homeland Security and Governmental Affairs has revealed the decade-long failure of several important federal agencies to secure their systems and protect sensitive and personal information.

A new report from the U.S. Senate’s Committee on Homeland Security and Governmental Affairs has revealed the decade-long failure of several important federal agencies to secure their systems and protect sensitive and personal information.

The report, signed by Rob Portman, chairman of the Permanent Subcommittee on Investigations, and Tom Carper, ranking member of the subcommittee, is the result of a 10-month investigation covering 10 years of Inspector General reports.

The analysis targeted the Department of Homeland Security, the Department of State, the Department of Transportation, the Department of Housing and Urban Development, the Department of Agriculture, the Department of Health and Human Services, the Department of Education, and the Social Security Administration. These agencies, except the DHS, have been assigned the lowest cybersecurity rating by the Office of Management and Budget.

According to the report, seven of the eight agencies failed to ensure adequate protection for personal information, and five of them failed to maintain accurate IT asset inventories.

All of the eight government organizations are still using systems or applications that no longer receive security updates, and six of them have failed to install patches or take action for mitigating vulnerabilities in a timely manner.

The investigation has found that agencies such as the DHS, the Department of Transportation, the Department of Agriculture, and the HHS failed to address vulnerabilities and other cybersecurity issues for 10 years, while the State Department’s systems were weakened by security holes that remained unresolved for more than five years.

In the case of the Department of Education, the report says the organization has not been able to prevent unauthorized devices from easily connecting to its network. The investigation also found that vulnerabilities in the systems of the Social Security Administration exposed the personal information of 60 million individuals who receive social security benefits.

“Hackers with malicious intent can and do attack federal government cyber infrastructure consistently. In 2017 alone, federal agencies reported 35,277 cyber incidents,” Portman said. “After a decade of negligence, our federal agencies have failed at implementing basic cybersecurity practices, leaving classified, personal, and sensitive information unsafe and vulnerable to theft. The federal government can, and must, do a better job of shoring up our defenses against the rising cybersecurity threats.”

Related: Equifax Was Aware of Cybersecurity Weaknesses for Years, Senate Report Says

Related: U.S. Senators Want Transparency on Senate Cyberattacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.