Senate investigation finds multiple federal agencies left sensitive data vulnerable to cyberattacks for past decade

Senate investigation finds multiple federal agencies left sensitive data vulnerable to cyberattacks for past decade
© Getty Images

Several federal agencies failed to update system vulnerabilities over the course of the last two administrations and left Americans' personal information open and vulnerable to theft, a report released Tuesday by the Senate Homeland Security and Governmental Affairs Subcommittee on Investigations found.

The report, spearheaded by subcommittee Chairman Rob PortmanRobert (Rob) Jones PortmanCost for last three government shutdowns estimated at billion The Hill's Morning Report - Trump takes 2020 roadshow to New Mexico The 13 Republicans needed to pass gun-control legislation MORE (R-Ohio) and ranking member Tom CarperThomas (Tom) Richard CarperInstead of raising the gas tax, stop wasting money on frivolous projects To stave off a recession, let's pass a transportation infrastructure bill Overnight Energy: Trump tweets he's revoking California's tailpipe waiver | Move comes as Trump visits state | California prepares for court fight | Climate activist Greta Thunberg urges lawmakers to listen to scientists MORE (D-Del.) and put together after a 10-month investigation, reviewed data compiled over the last decade by the inspector general on federal information security standards for eight agencies.

ADVERTISEMENT

These agencies were the departments of State, Homeland Security, Health and Human Services, Transportation, Education, Agriculture, and Housing and Urban Development, as well as the Social Security Administration. 

Of these agencies, the report found that seven had failed to provide adequate protection for personal information in their systems and that six of the agencies had not installed system patches in a timely way to protect against cyber vulnerabilities. All eight agencies were found to use “legacy systems,” or those not supported by the original manufacturer anymore, resulting in further cyber vulnerabilities.

Specific agency findings included that Homeland Security, Transportation, Agriculture, and Health and Human Services failed to address some cybersecurity weaknesses identified by the inspector general over a decade ago, while the Social Security Administration was found to have severe cybersecurity vulnerabilities that risked the exposure of the personal information of more than 60 million Americans who receive Social Security benefits.

Another major security flaw found by the investigation was that the Education Department has been consistently unable to prevent unauthorized devices from connecting to its network since 2011. While the agency has limited this access to under 90 seconds, the inspector general reported that this was enough time for a malicious actor to launch an attack.

“Hackers with malicious intent can and do attack federal government cyber infrastructure consistently. In 2017 alone, federal agencies reported 35,277 cyber incidents,” Portman said in a statement. “Yet our federal agencies have failed at implementing basic cybersecurity practices, leaving classified, personal, and sensitive information unsafe and vulnerable to theft. The federal government can, and must, do a better job of shoring up our defenses against the rising cybersecurity threats.

Carper added in a statement that “we know that the threats posed by cyber-attacks continue to evolve and grow every day, so it is crucial that agencies across our government prioritize efforts to better protect their networks from hackers." 

A congressional source told The Hill that while the subcommittee does not plan to hold any hearings around the results of this investigation, Portman will consider recommendations in the report in considering any “legislative solutions.”

These recommendations centered around specific actions the Office of Management and Budget (OMB) should take to ensure these agencies reach a higher level of information security.

Steps include OMB ensuring the agency chief information officers have the authority to make agency-wide cybersecurity decisions, along with ensuring CIOs are regularly reporting to agency heads on information security programs. Further, the report recommended that all agencies should include progress reports on “cybersecurity audit remediation” in annual budget justifications to Congress.

The report was released during a week that the information security of federal agencies will be in the spotlight, with the House Oversight and Reform Subcommittee on Government Operations set to hold a hearing later this week to examine the results of the biannual Federal IT Acquisition Reform Act scorecard.

This scorecard scores aspects of federal agencies’ information technology work, including cybersecurity, transparency and risk management, and the level of technological modernization.

The last scorecard, published in December, awarded the Agriculture Department, the Treasury Department and the Defense Department overall scores of D on these issues, while agencies including the Social Security Administration and the Energy Department received Bs. No agency was awarded an A.