A bipartisan report released by the Senate Homeland Security and Governmental Affairs Committee on Tuesday found “stark” shortcomings in the cybersecurity posture of many major federal agencies in the midst of escalating cyberattacks against both the U.S. government and private sector.
The report, compiled by the leaders the panel, found that seven federal agencies “have not met the basic cybersecurity standards necessary to protect America’s sensitive data.” According to data from each agency’s inspector general, the average grade for information security maturity among large federal agencies was a C-.
The new report was released two years after the committee’s subpanel on investigations, at the time headed by current full committee ranking member Sen. Rob PortmanRobert (Rob) Jones PortmanMajor US port target of attempted cyber attack Hillicon Valley — Presented by Xerox — Officials want action on cyberattacks Officials urge Congress to consider fining companies that fail to report cyber incidents MORE (R-Ohio), found that eight federal agencies had failed to update system vulnerabilities and left the personal information of Americans open to theft by hackers.
The report released Tuesday built on the 2019 findings and concluded that out of the eight agencies studied, only the Department of Homeland Security had implemented an “effective security program for 2020,” while the other seven “still fail at effectively securing data.”
Those agencies are the departments of State, Health and Human Services, Transportation, Education, Agriculture, and Housing and Urban Development, as well as the Social Security Administration (SSA). Of these organizations, the departments of Education and Transportation along with the SSA in particular “showed very little improvement” since 2019.
NASA and the Office of Personnel Management, meanwhile, were given Ds for their cybersecurity posture.
With the report’s release coming less than a year after the discovery of the SolarWinds hack, which involved Russian hackers breaching nine federal agencies for much of 2020 for espionage purposes, committee leaders on Tuesday expressed dismay at the lack of cybersecurity preparedness.
“From SolarWinds to recent ransomware attacks against critical infrastructure, it’s clear that cyberattacks are going to keep coming and it is unacceptable that our own federal agencies are not doing everything possible to safeguard America’s data,” Portman said in a statement. “This report shows a sustained failure to address cybersecurity vulnerabilities at our federal agencies, a failure that leaves national security and sensitive personal information open to theft and damage by increasingly sophisticated hackers.”
Portman noted that he will introduce legislation based on the report’s recommendations to better protect sensitive data, emphasizing that “the American people deserve better.”
One of the report’s recommendations to address the cybersecurity shortcomings was that a central office should work to establish a national cybersecurity strategy and coordinate cyber policy between agencies. The most recent National Defense Authorization Act created a national cyber director position at the White House to help in this effort, with former National Security Agency Deputy Director Chris Inglis confirmed by the Senate to this role in June.
Portman stressed the need for more central leadership on cybersecurity, noting that “the Biden administration must also ensure there is a single point of accountability for federal cybersecurity to oversee the implementation of our recommendations and address these cybersecurity failures.”
Senate Homeland Security and Governmental Affairs Committee Chairman Gary PetersGary PetersHillicon Valley — Presented by Xerox — Officials want action on cyberattacks Officials urge Congress to consider fining companies that fail to report cyber incidents Senate Democrats announce million investment in key battlegrounds ahead of 2022 MORE (D-Mich.) also underlined the need to do more to strengthen the nation’s cybersecurity, particularly in the wake of escalating attacks on companies including Colonial Pipeline and meat producer JBS USA.
“Shortcomings in federal cybersecurity allow cybercriminals to access Americans’ personal information, which not only compromises our national security – but risks the livelihoods of people in Michigan and across the country,” Peters said in the statement. “This report has identified an urgent need to further strengthen cybersecurity defenses at federal agencies and protect this sensitive data.”
“As Chairman of the Homeland Security and Governmental Affairs Committee, I will continue working with the Administration and Ranking Member Portman to secure federal IT systems and ensure that federal agencies are taking necessary steps to prevent Americans’ valuable information from being stolen,” he said.