Federal agencies fail to follow basic computer security standards including relying on a 48-year-old system for critical work, leaving the government vulnerable to hackers, according to Congressional report published on Tuesday.
“In 2017 alone, federal agencies reported 35,277 cyber incidents,” Sen. Robert Portman (R-Ohio) said in a statement about the report. “After a decade of negligence, our federal agencies have failed at implementing basic cybersecurity practices, leaving classified, personal, and sensitive information unsafe and vulnerable to theft.
The report, Federal Cybersecurity: America’s Data at Risk, is the result of a 10-month review by the Permanent Subcommittee on Investigations of the Senate Homeland Security Committee that examined a decade’s worth of inspector general reports. The findings detail how eight federal agencies are doing a poor job creating a defense against cyber threats at a time of increased worries about foreign governments hacking adversaries.
“Government agencies still seem to be struggling with the basics,” says Jake Olcott, vice president of government affairs at cybersecurity company BitSight told Fortune. “This has been a problem for decades. What’s interesting about this report is that it rightfully provides the scope of the problem.”
All of the eight agencies mentioned in the report used outdated systems. The Department of Transportation used a 48-year-old system to provide information on hazardous materials incidents. Maintaining the system became difficult, since very few workers knew how to use the older applications, according to the report. That system was decommissioned on May 31, 2019.
In another case, the Department of Homeland Security has been running Windows XP and Windows 2003 on various systems, despite the fact that Microsoft stopped supporting the software a few years ago.
The Social Security Administration was called a “persistent cybsersecurity threat” since it holds the information of 60 million Americans who receive benefits. One of its systems uses COBOL, a programming language developed in the 1950s, that many younger IT employees are unfamiliar with. Another system, called CHUMS, is so old that home lenders can only submit customer applications for loans through the mail so that the government can track the information.
These systems are “sitting ducks,” says Olcott. “Using systems that are so old and not supported anymore, basically creates an environment that makes it very easy for bad actors to gain access to private data.”
Losing track of hardware and software
Many off the agencies also failed to keep an accurate inventory of the hardware and software on the networks. This has been a “recurrent problem” over the past decade for the Department of State, Department of Transportation, Department of Housing and Urban Development, Department of Health and Human Services, and the Social Security Administration, according to the report.
It’s not rocket science, but even NASA has had trouble with it. Last week, a report from NASA’s inspector general disclosed that a $25 unauthorized Raspberry Pi computer was used as an entry point for hackers to get into the Jet Propulsion Laboratory’s network and access sensitive information.
“Not knowing the systems we are using, the devices, represents a big risk to an organization, particularly a government agency,” says Olcott. “Employees could bring in their own personal devices and connect to their network. And if the agency can’t monitor the addition of new devices, that’s an area where individual personnel could be introducing new risks.”
Not using mandatory security patches
Typically, organizations quickly deploy security patches from software vendors to plug critical holes in their systems that could otherwise be exploited by hackers. But the federal government isn’t treating the job of updating security with the necessary, according to the report.
All eight agencies failed to patch vulnerabilities in a timely manner, but some were worse offenders than others.
“Both DHS and DOT failed to properly apply security patches for the last ten consecutive years,” the report says. The U.S. Department of Agriculture failed for the last nine years.
“It’s a basic thing that when patches come out, it’s a best practice to deploy,” says Olcott.
The path forward
While the report showcases some embarrassing failures, it also offers some recommendations, including prioritizing hiring of people with a cybersecurity expertise, new budgeting procedures to ensure threats are being addressed, and consolidating processes so that agencies can be more nimble when it comes to responding to and mitigating threats.
Olcott says it ultimately comes down to accountability. More companies are now regularly receiving reports from their cybersecurity teams about their preparedness. Executives are also held accountable in the event of a major data breach.
“The reality is, unlike in the commercial sector today, where CEOs and board members are being fired because of data breaches, there is not the same level of accountability and responsibility in the federal government,” he says. “Start holding people accountable for improving security performance…Those are the things you need congressional and executive leadership.”