Said Sen. Tom Coburn, MD, Ranking Member, in his Report by the Minority Staff of the Homeland Security and Government Affairs Committee
Wow! That kind of money must buy a whole lot of secure technology. The US federal government must be the most technologically awesome place to work and everyone must take their work very, very seriously – just like in the movies.
The Federal Government’s Track Record on Cybersecurity and Critical Infrastructure presented by Senator Tom Coburn this past Tuesday doesn’t refute that the government has lots of sexy toys. In fact, it doesn’t really go into the technology bits.
Instead, the report, which is based on more than 40 audits and other government reviews, is surprisingly about people. Mr. Coburn and his staff present a compelling case that the very people who are responsible for the cybersecurity of the federal governments’ computers and infrastructure are lazy and have an amazing lack of concern for the private data that they are supposed to be protecting.
The people and institutions whom we are told we can trust with our most private data don’t seem to care much about it at all.
How else can we explain the frequent recurrence of gross abuses of security policies across all federal agencies? What comes through very clearly in the report is that the vulnerabilities aren’t due to inferior technology, poor security guidelines or even user error, as much as simple laziness, sloppiness and irresponsibility.
A few examples (there are so many good ones that we had a tough time selecting only a few):
– each of the 6 federal departments is cited for gross password stupidity and silliness:
In March 2013, GAO reported that IRS allowed its employees to use passwords that “could be easily guessed.” Examples of easily-guessed passwords are a person’s username or real name, the word “password,” the agency’s name, or simple keyboard patterns (e.g., “qwerty”), according to the National Institute of Standards and Technology.40 In some cases, IRS users had not changed their passwords in nearly two years.41 As a result someone might gain unauthorized access to taxpayers’ personal information and it “would be virtually undetectable,” potentially for years.42 GAO has cited IRS for allowing old, weak passwords in every one of its reports on IRS’ information security for the past six years. (emphasis added)
– the agencies typically ignore even the most basic of security measures such as keeping their anti-virus software up-to-date and timely installation of software patches:
Computers controlling physical access to Department of Homeland Security facilities whose antivirus software was out of date. Twelve of the 14 computer servers the Inspector General checked in 2012 had anti-virus definitions most recently updated in August 2011. Several of the servers also lacked patches to critical software components.
– the agencies can’t seem to keep track of the technology, much less bother to secure networks and servers from unauthorized access:
The National Regulatory Commission has had trouble keeping track of its laptop computers, including those which access sensitive information about the nuclear sites the commission regulates. (emphasis added)
In 2011, 2012 and 2013, auditors were able to connect a “rogue” computer and other hardware to the Education Department’s networks without being noticed. This same access could allow a hacker to drop into the network environment behind the firewalls and other perimeter security.
– and, just to show you that we weren’t make this up, some people really do write down their passwords in open sight:
Independent auditors physically inspected [Department of Homeland Security] offices and found passwords written down on desks, sensitive information left exposed, unlocked laptops, even credit card information. (emphasis added)
– after years of money, government initiatives and presidential directives, nothing changes:
Last November, a year later, the Inspector General found that nothing had changed, and that the NRC’s efforts “are still not effective at monitoring the progress of corrective efforts … and therefore do not provide an accurate measure of security program effectiveness.
We also found a couple of things that took our breath away.
– the IRS is interested in a lot more than just collecting federal taxes:
In addition to traditional records on employment, income and identifier information, the IRS reportedly collects a huge volume of personal information on Americans’ credit card transactions, eBay activities, Facebook posts and other online behavior. (emphasis added)
Why should the IRS be at all interested in your Facebook and ‘other online behavior’?
– the use of private notebooks and email accounts by government employees isn’t uncommon:
But a 2012 investigation into the [Trading and Markets Division under the Security and Exchange Commission] team found conduct which did not reflect a concern for security. Team members transmitted sensitive non-public information about major financial institutions using their personal e-mail accounts. (emphasis added)
SEC employees using private emails to send privileged information about the companies they are monitoring. Hmmm, why would they… wait a second… no, they wouldn’t… well maybe…
It really is a damning report.
So now what? You guessed it, an article in Mashable suggests where this is heading:
Government agencies have a tougher time luring workers away from the private sector and, in general, there’s a “shortage of cybersecurity talent,” [Allan] Friedman [a ‘cybersecurity researcher’ at George Washington University] said. Moreover, government agencies can’t be as quick in deploying new technology as private companies.
Note that the report does NOT indicate that the agencies have outdated technology, or that personnel aren’t up to the task: the report shows that the people in these agencies were irresponsible and that they weren’t doing their jobs! That being the case, we’re not sure if Mr. Friedman is taking a dig at the ‘talent’ in government, or simply making a knee-jerk reaction request for more money.
Curiously, neither the report, nor Mashable’s write-up make any mention of any consequences for anyone. If this were a private company, heads would have rolled a long time ago. It’s true that mistakes can happen anywhere, but only in government are they rewarded with a bigger budget.
Prediction #1: congressional cries for more funding will result in – you guessed it – even more money being put toward ‘solving’ the problem.
Prediction #2: we’ll continue to hear about the lack of success in ‘solving’ the problem for years to come.