Senate Finds Major Cybersecurity Weaknesses At Federal Agencies, Warns Of Attacks

• A top Senate committee issued a report finding several federal agencies had major cybersecurity weaknesses and were “failing to protect the sensitive data they stored and maintained.”
• Inspectors were able to access hundreds of secure files, including credit card numbers, from the Department of Education without the agency noticing, while the State Department could not provide documentation on 60% of employees who had access to its classified network.
• “This report shows a sustained failure to address cybersecurity vulnerabilities at our federal agencies, a failure that leaves national security and sensitive personal information open to theft and damage by increasingly sophisticated hackers,” Ohio Sen. Rob Portman, who co-authored the report, said in a statement announcing the findings.

A top Senate committee released a bipartisan report Tuesday finding numerous key shortcomings in federal agencies’ cyber defenses.

The Senate Homeland Security and Governmental Affairs Committee’s report, authored by Ohio Republican Sen. Rob Portman and Michigan Democratic Sen. Gary Peters, revisited eight federal agencies found to be “failing to protect the sensitive data they stored and maintained” in a 2019 analysis of inspector general audit reports from 2008 to 2019. The report found only one agency, the Department of Homeland Security (DHS), had adequately improved its cybersecurity program.

“Two years later, seven agencies still fail at effectively securing data,” the report read. “While several of the agencies made minimal improvements in one or more areas, inspectors generally found essentially the same failures as the prior 10 years.”

The report highlighted a number of key flaws, including the fact that seven agencies operated outdated technology, and the State Department could not provide documentation on 60% of employees who had access to its classified network.

The Department of Transportation had no record of 14,935 “IT assets,” including 4,824 servers, which it owned, and the Department of Agriculture had a “significant number” of vulnerabilities in public-facing websites, according to the report.

Inspectors were able to access hundreds of secure files, including credit card numbers, from the Department of Education without the agency noticing, according to the report.

The report also found that DHS’s “flagship cybersecurity program,” known as EINSTEIN, did not adequately detect and prevent cyber intrusions. EINSTEIN is a threat-detection system designed to provide agencies with information to address cyber intrusions.

“This report shows a sustained failure to address cybersecurity vulnerabilities at our federal agencies, a failure that leaves national security and sensitive personal information open to theft and damage by increasingly sophisticated hackers,” Portman said in a statement announcing the findings.

Portman pointed to the December SolarWinds breach, as well as the string of ransomware attacks in recent months such as the May Colonial Pipeline hack, as examples of cybersecurity threats.

“I am concerned that many of these vulnerabilities have been outstanding for the better part of a decade – the American people deserve better,” he added.

The report issued a number of recommendations, including more cybersecurity funding, a centralized approach to cyber threats, the updating and improving of EINSTEIN, and a more expansive role of the Cybersecurity and Infrastructure Security Agency (CISA) in assisting agencies with cyber defense. CISA is a federal agency founded in 2018 dedicated to supporting other agencies in addressing cyber threats and managing risk.

The report also recommended Congress update the Federal Information Security Modernization Act of 2014 to “formalize CISA’s role as the operational lead” of federal cybersecurity.

Peters met with officials Tuesday to discuss how to improve the nation’s cybersecurity defenses.

“We agreed that it will take a comprehensive, all of government approach to deter these continued assaults and hold foreign adversaries and criminal organizations accountable for targeting American networks,” Peters said in a press release following the meeting.

President Joe Biden has made cybersecurity a priority of his administration, issuing an executive order in May aimed at improving communication between federal agencies during cyber attacks and centralizing a security response.

“It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security,” Biden said in the order.