Government agencies often fail to take "the most basic steps" in securing data and protecting critical infrastructure, according to a Senate report published Tuesday. The assessment comes from the Republican side of the Homeland Security and Governmental Affairs Committee. “Weaknesses in the federal government’s own cybersecurity have put at risk the electrical grid, our financial markets, our emergency response systems and our citizens’ personal information,” said Republican Tom Coburn.
It starts off with some examples of recent missteps, including the fake zombie apocalypse emergency alert that went out in Montana last year. Other mistakes have been more worrisome; last year, a hacker made off with private information on all 85,000 dams inside the US — including data revealing their condition and the potential for fatalities if they were breached or destroyed. Sensitive cybersecurity plans for nuclear plants have been left unprotected on shared drives. "Those failures aren’t due to poor practices by the private sector," reads the report. "All of the examples below were real lapses by the federal government."
Government agencies are still terrible at updating software
The report pulls from over 40 audits of government agencies and other internal reviews. And just every major department in the federal government has failed to boost cybersecurity to a satisfactory level. The Department of Homeland Security, which is supposed to be leading the charge in locking down critical data, isn't setting a very good example. The DHS has failed to "update basic software like Microsoft applications, Adobe Acrobat and Java, the sort of basic security measure just about any American with a computer has performed," the report says. Out-of-date antivirus software, weak passwords, and sloppy physical security (sensitive passwords were found written on desks) were among other problems.
Employees are picking 'lousy' passwords
Things fare even worse at the Nuclear Regulatory Committee. The report points to an alarming "general lack of confidence" in the NRC’s IT department that has prompted some offices to "go rogue" by buying their own computers and networks. The NRC also reportedly has trouble keeping track of its laptop computers — which often have access to sensitive information. Perhaps more concerning, the NRC recognizes some of these problems, but routinely fails in resolving them. "Problems were identified but never scheduled to be fixed; fixes were scheduled but not completed; fixes were recorded as complete when they were not," the report says.
Moving to the financial side, the report claims that the IRS often fails to encrypt sensitive data and that the agency is "dangerously slow" in implementing critical software updates. Employees also use "lousy" passwords, and the IRS has been receiving warnings about these lackluster logins for six years now. Some employees at the Securities and Exchange Commission have stored crucial data on unencrypted laptops — including what amounts to a how-to guide on hacking into the stock exchanges. The report also points out shortcomings at the Department of Energy and Department of Education; you can read it in full here. Coburn said the report is yet more proof that "Congress needs to hold the White House and its agencies accountable.”