Senate investigation finds multiple federal agencies left sensitive data vulnerable to cyberattacks for past decade

Senate investigation finds multiple federal agencies left sensitive data vulnerable to cyberattacks for past decade
© Getty Images

Several federal agencies failed to update system vulnerabilities over the course of the last two administrations and left Americans' personal information open and vulnerable to theft, a report released Tuesday by the Senate Homeland Security and Governmental Affairs Subcommittee on Investigations found.

The report, spearheaded by subcommittee Chairman Rob PortmanRobert (Rob) Jones PortmanThe Hill's Morning Report - After high-stakes Biden-Putin summit, what now? G-7 summit exposes incoherence of US foreign policy Senate panel unanimously advances key Biden cyber nominees MORE (R-Ohio) and ranking member Tom CarperThomas (Tom) Richard CarperSenate confirms Radhika Fox to lead EPA's water office Rick Scott threatens to delay national security nominees until Biden visits border Senate panel unanimously advances key Biden cyber nominees MORE (D-Del.) and put together after a 10-month investigation, reviewed data compiled over the last decade by the inspector general on federal information security standards for eight agencies.


These agencies were the departments of State, Homeland Security, Health and Human Services, Transportation, Education, Agriculture, and Housing and Urban Development, as well as the Social Security Administration. 

Of these agencies, the report found that seven had failed to provide adequate protection for personal information in their systems and that six of the agencies had not installed system patches in a timely way to protect against cyber vulnerabilities. All eight agencies were found to use “legacy systems,” or those not supported by the original manufacturer anymore, resulting in further cyber vulnerabilities.

Specific agency findings included that Homeland Security, Transportation, Agriculture, and Health and Human Services failed to address some cybersecurity weaknesses identified by the inspector general over a decade ago, while the Social Security Administration was found to have severe cybersecurity vulnerabilities that risked the exposure of the personal information of more than 60 million Americans who receive Social Security benefits.

Another major security flaw found by the investigation was that the Education Department has been consistently unable to prevent unauthorized devices from connecting to its network since 2011. While the agency has limited this access to under 90 seconds, the inspector general reported that this was enough time for a malicious actor to launch an attack.

“Hackers with malicious intent can and do attack federal government cyber infrastructure consistently. In 2017 alone, federal agencies reported 35,277 cyber incidents,” Portman said in a statement. “Yet our federal agencies have failed at implementing basic cybersecurity practices, leaving classified, personal, and sensitive information unsafe and vulnerable to theft. The federal government can, and must, do a better job of shoring up our defenses against the rising cybersecurity threats.

Carper added in a statement that “we know that the threats posed by cyber-attacks continue to evolve and grow every day, so it is crucial that agencies across our government prioritize efforts to better protect their networks from hackers." 

A congressional source told The Hill that while the subcommittee does not plan to hold any hearings around the results of this investigation, Portman will consider recommendations in the report in considering any “legislative solutions.”

These recommendations centered around specific actions the Office of Management and Budget (OMB) should take to ensure these agencies reach a higher level of information security.

Steps include OMB ensuring the agency chief information officers have the authority to make agency-wide cybersecurity decisions, along with ensuring CIOs are regularly reporting to agency heads on information security programs. Further, the report recommended that all agencies should include progress reports on “cybersecurity audit remediation” in annual budget justifications to Congress.

The report was released during a week that the information security of federal agencies will be in the spotlight, with the House Oversight and Reform Subcommittee on Government Operations set to hold a hearing later this week to examine the results of the biannual Federal IT Acquisition Reform Act scorecard.

This scorecard scores aspects of federal agencies’ information technology work, including cybersecurity, transparency and risk management, and the level of technological modernization.

The last scorecard, published in December, awarded the Agriculture Department, the Treasury Department and the Defense Department overall scores of D on these issues, while agencies including the Social Security Administration and the Energy Department received Bs. No agency was awarded an A.