Government agencies are putting citizen data at risk through poor cybersecurity practices, such as running legacy systems and applications no longer supported by the vendor with security updates, according to a new Senate report.
A review of eight agencies found that seven of them are running unsupported systems or applications, six are failing to install security patches quickly, and six are running systems without current authorizations to operate them. In addition, seven of the eight agencies fail to protect personally identifiable information adequately, according to the report from senior members of the Senate Homeland Security and Governmental Affairs Committee.
Little has changed since the committee’s last cybersecurity report in 2019, with only one of the eight agencies, the Department of Homeland Security, making significant improvements, the report said. Agency inspectors general have found “many of the same issues that have plagued federal agencies for more than a decade.” In addition, the remaining federal agencies “still have not met the basic cybersecurity standards necessary to protect America’s sensitive data.”
Several cybersecurity professionals said the report raises several concerning issues but seems to mirror the challenges that private companies face.
Yet the report isn’t surprising, added Andrew Howard, CEO at Kudelski Security. “The government, much like other organizations, has a major cybersecurity challenge across a ridiculously big footprint of systems,” he told the Washington Examiner. “These types of findings, such as poor patching and unauthorized systems, are all too common, even in the most sophisticated organizations. The number of legacy systems alone within the government is daunting.”
Other security professionals raised alarm bells. The agencies appear to have the security posture of a “third-world country,” said Richard Blech, CEO of XSOC Corp. “The lack of updated systems and continued reliance on legacy systems is resoundingly unacceptable,” he told the Washington Examiner.
He recommended that agencies follow the government’s cybersecurity guidelines set out by the National Institute of Standards and Technology. “All federal agencies should be required to have a plan and follow through with that plan in a timely, efficient manner to replace all legacy and systems outdated that no longer have support,” he said. “The fact that this report finds that agencies have not been doing so is reprehensible.”
Blech downplayed concerns that agencies don’t have enough money to fix their deficiencies. “The issue seems to be one of motivation more so than budget,” he said. “Congress has thrown billions at the agencies to be more cyber-ready, and yet systems remain improperly unattended to with regards to security.
The Senate report recommended that the federal government take a centrally coordinated approach to improve cybersecurity across agencies. The White House Office of Management and Budget should also require agencies to adopt a risk-based budgeting model for IT investments, it said.
“Agencies currently use limited technology funds on capabilities for perceived security weaknesses, instead of those most likely to be exploited by hostile actors,” the report said. “This risk-based model would address blind information technology spending and provide agencies with a better sense of their return on investment for each capability acquired.”
The report shows that current federal regulations, including the Federal Information Security Modernization Act, are ineffective against modern cybersecurity challenges, said J.R. Cunningham, the chief security officer at Nuspire. FISMA was passed in 2014, before the explosion of smartphone use, before modern cloud services, and before app stores, he noted.
“We’re literally running federal cybersecurity out of a decades-old playbook,” he told the Washington Examiner.
Similar to Blech, Cunningham questioned whether spending more money on cybersecurity will solve the problem. Agencies should focus instead on spending money on cyber defenses that are more risk-aware and can adapt to changes in the threat landscape, he said.
“Our government agencies spend significant money on cyber, but they’re spending it on antiquated technologies and processes,” he added.
