Report Again Finds US Government IT Security Sucks, Three Years After Saying The Same Thing
from the giant-wheel-of-dysfunction dept
Three years ago a US Senate Committee report showcased that the U.S. government's cybersecurity defenses were the IT equivalent of damp cardboard. The study found numerous government agencies were using dated systems that were expensive to maintain but hard to properly secure. It also noted how from 2008 to 2018, the government repeatedly failed to adequately protect sensitive data at the Social Security Administration and Departments of Homeland Security, State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services, and Education.
Three years have gone by and guess what: very little has actually changed. The latest 47 page report (pdf) found that little meaningful improvement was made in the last three years, with cybersecurity at those same eight federal agencies earning four grades of D, three Cs, and a single B:
"It is clear that the data entrusted to these eight key agencies remains at risk. As hackers, both state-sponsored and otherwise, become increasingly sophisticated and persistent, Congress and the executive branch cannot continue to allow PII and national security secrets to remain vulnerable."
This report is just one of countless instances over the last two decades where the government was warned that it's expensive, shitty, dated systems simply weren't secure. In this report, of the eight agencies, only the DHS showed meaningful improvements in IT security:
"What this report finds is stark. Inspectors general identified many of the same issues that have plagued Federal agencies for more than a decade. Seven agencies made minimal improvements, and only DHS managed to employ an effective cybersecurity regime for 2020. As such, this report finds that these seven Federal agencies still have not met the basic cybersecurity standards necessary to protect America’s sensitive data."
Much like election security, there's a lot of bloviation and consultant bucks that get thrown around -- often with little to show for it. DC lawmakers often talk a lot about the importance of cybersecurity, but only as so far as it pertains to being helpful in terms of partisan fear mongering, lining the pockets of campaign contributors, weakening encryption for their own surveillance purposes, or protecting the interests of dominant domestic corporations. But when it comes to taking actual, intelligent, meaningful action (like oh, shoring up the security nightmare that is the internet of broken things), we fail repeatedly.
The report of course comes about seven months after Russian government sponsored hackers used a massive supply chain attack to gain access to systems at numerous US government agencies and over 100 corporations. And just four months after Chinese government sponsored hackers breached multiple federal agencies by exploiting vulnerabilities in the Pulse Secure VPN. While both events have taken the usual DC consternation, hand wringing, and big dollar consultant payouts in to new levels, who the hell knows if any of it leads to actual, meaningful reform.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, government it, government technology, homeland security, it, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
We protect our networks with threats of full-scale war. What else are we supposed to do?
[ link to this | view in thread ]
Re:
there are so many things that can be done, the list is to long.
Like registering secure connections to ONLY certain other machines/people and those that DO need access.
Then ther is the idea that if you cant have 100% secure, you create protections like Honey pots, and Break up the data so that only certain progs can read them properly. Having 1 file system setup means that 1 Large file is all they need to gather.
But the ones that REALLY should be complaining are the banks. With all our data out in the wild, how can they Prove a person made a purchase? You cant. You can contest anything on your statements. So, where are the banks in this.
Well, in the IOT, they now have a watch that holds you data. And you can use it as your Credit card. Any hacker knowing this could just walk by and send the signal to release the data. they recently changed the Credit card designs, but Still in the IOT its a tap away from being read and used around the world.
So what can they do?
Anything the IOT can bring to fruition, can be copied/replicated and hacked. Even in the old days, a Check was a dangerous thing. If you understand that Long number on the bottom, you could just steal an account directly. But check verification is still a time consuming thing.
[ link to this | view in thread ]
fr
We as a country (meaning both government and private corps) need to do only one thing. Let me repeat that:
ONLY ONE THING
Easy - disconfuckingnect the bleeping computer from the bleeping Internet!!!!!!!
"Oh, but then we can't access it!" Tough shit. Go sit at the console and do your job. There's no reason for you to log in remotely from the deck of your yacht. If you can do so, then so can Ivan, or Wei-fan, or Abdul, or.....
Like the old saying goes, there are three things available for your list:
a) ease-of-access
b) cost effectiveness
c) security
Pick two.
[ link to this | view in thread ]
Go after the negligence!
Anyone else notice that when there's some massive hack caused by someone putting systems on the open internet with a password of 1234, they act like it's some natural disaster on act of terrorism instead of properly handling it as a simple act of corporate negligence! Security costs money, breaches currently do not.
[ link to this | view in thread ]
Re: Re:
If they ever bothered to seriously prosecute the negligent corporations that made systems with less security awareness than an average nine year old things would change real fast. But as long as breaches don't actually cost these companies anything at all it would be pretty illogical for them to spend the money for proper security...
Next time a sensitive government system gets hacked through some unintentional back door or some undisclosed "support" account, fine them a couple million and give the CTO a year behind bars, it'll be the last time that ever happens.
[ link to this | view in thread ]
The fact that the US has no framework protection for user data as simple as GDPR is telling. even a company like Facebook can't comply with basic privacy laws of the EU as repeatedly proven in court. As long as privacy violations are something to monetize and not something to be ashamed of, this is a story which writes itself. There is no incentive to protect sensitive data, at any level.
[ link to this | view in thread ]
Re:
Well, the GDPR and Facebook both are fucking messes, what would one expect?
[ link to this | view in thread ]
Re: Re: Re:
"...fine them a couple million and give the CTO a year behind bars, it'll be the last time that ever happens."
I'm reminded that Enron gave the corporate world SOD/SOX - rules around standardized delegation of authority and fiscal accountability.
IT is, alas, a lot harder and more inconvenient to write auditable rules around...although it has to be said that IT security companies themselves certainly abide by such standards, no corporation I'm aware of has come anywhere close to successfully implementing them.
A well run established corporation runs a locked-down OS which refuses to accept USB connections, runs every internal application on a secured intranet, has dynamically updated whitelists for all web domains accessible from the corporate laptop and regularly runs phishing exercises on it's staff. And that's still just the bare minimum of required bare-bones security.
[ link to this | view in thread ]
Aging Applications
Having worked in both government and commercial applications, one of the most telling issues is that corporations write applications that can be implemented to solve a problem. That software gets implemented in a big visible project that makes news and other blurbs for the senior people who sponsored the project. However; after that, the money moves on to other - make the news - types projects. The budget gets cut for supporting the other non-newsworthy projects. Then 10 to 15 years later, security for the system is berated 'because'. If there had been proper maintenance of the system, including security and version updates over the years then there would, probably, not be an issue. But there is always budget cuts and etc. and etc. why systems can't be maintained. However; when the system then looks like it is a legacy problem, it's time for more PR announcements and blurbs about modernization projects. Corporations at least need to keep public interest and keep making money. The government, on the other hand, just needs to keep churning out government things and keep collecting taxes and fees. Whatever projects that install the new great XXX software also needs to budget the money to keep up with annual or bi-annual updates to the software package. One project I worked on was using a version of MS-SQL server for their database that was 9 years old and 3 versions out of date. BUT, there was no money for the project to update it, so it will just keep churning along until the system fails or some project comes along that HAS to have a feature from a newer version and has enough visibility to get PR blurbs to update the infrastructure to the latest and greatest, as if that shouldn't have been done all along. The poison of politics is everywhere in life, not just in the stolen elections.
[ link to this | view in thread ]