A new report from the U.S. Senate’s Committee on Homeland Security and Governmental Affairs has revealed the decade-long failure of several important federal agencies to secure their systems and protect sensitive and personal information.
The report, signed by Rob Portman, chairman of the Permanent Subcommittee on Investigations, and Tom Carper, ranking member of the subcommittee, is the result of a 10-month investigation covering 10 years of Inspector General reports.
The analysis targeted the Department of Homeland Security, the Department of State, the Department of Transportation, the Department of Housing and Urban Development, the Department of Agriculture, the Department of Health and Human Services, the Department of Education, and the Social Security Administration. These agencies, except the DHS, have been assigned the lowest cybersecurity rating by the Office of Management and Budget.
According to the report, seven of the eight agencies failed to ensure adequate protection for personal information, and five of them failed to maintain accurate IT asset inventories.
All of the eight government organizations are still using systems or applications that no longer receive security updates, and six of them have failed to install patches or take action for mitigating vulnerabilities in a timely manner.
The investigation has found that agencies such as the DHS, the Department of Transportation, the Department of Agriculture, and the HHS failed to address vulnerabilities and other cybersecurity issues for 10 years, while the State Department’s systems were weakened by security holes that remained unresolved for more than five years.
In the case of the Department of Education, the report says the organization has not been able to prevent unauthorized devices from easily connecting to its network. The investigation also found that vulnerabilities in the systems of the Social Security Administration exposed the personal information of 60 million individuals who receive social security benefits.
“Hackers with malicious intent can and do attack federal government cyber infrastructure consistently. In 2017 alone, federal agencies reported 35,277 cyber incidents,” Portman said. “After a decade of negligence, our federal agencies have failed at implementing basic cybersecurity practices, leaving classified, personal, and sensitive information unsafe and vulnerable to theft. The federal government can, and must, do a better job of shoring up our defenses against the rising cybersecurity threats.”