A new report from the Senate Committee on Homeland Security and Governmental Affairs has found that numerous vulnerabilities exist in federal agency computer networks which is leaving Americans’ personal data at risk.
Data breaches at federal agencies are nothing new and have put on display the security vulnerabilities that exist within the federal government. The most notable recent example was the data breaches at the Office of Personnel Management that left the personal data of over 20 million current and former federal employees at risk. The breach occurred because OPM failed to properly secure its computer systems, something that continues to be a problem at the agency.
“The number of data breaches agencies have reported in recent years is not surprising given the current cybersecurity posture of the federal government. A recent report by the Office of Management and Budget made clear that agencies ‘do not understand and do not have the resources to combat the current threat environment,'” reads the Senate report.
What Security Vulnerabilities are Being Left Exposed?
The Senate subcommittee reviewed the past ten years of audits for these agencies:
- Department of Homeland Security
- Department of State
- Department of Transportation
- Department of Housing and Urban Development
- Department of Agriculture
- Department of Health and Human Services
- Department of Education
- Social Security Administration
The report said that State, DOT, HUD, Education, and SSA failed to properly protect personally identifiable information and that State, DOT, HUD, HHS, and SSA were not maintaining current lists of their IT assets, the latter being a problem because “If the agency does not know the application is on its network, it cannot secure the application.”
Other problems identified were things such as continuing to rely on outdated systems/software (Windows XP was one example, a product Microsoft stopped supporting in 2014) as well as failing to install security updates to software.
Examples of Personal Data Collected and Left Vulnerable
The report went into a lot of detail about the security problems at each of the agencies the Senate Subcommittee reviewed. One example was DHS.
Did you know that DHS has a Passenger Name Record database in which Customs and Border Protection collects personal data “primarily for purposes of preventing, detecting, investigating, and prosecuting terrorist offenses?” These data are taken from commercial airlines and include dates of reservation, dates of intended travel, names, credit card numbers, travel itinerary, baggage information, and seat number. This is just one example of huge amounts of sensitive personal data collected and stored by the agency.
And what security problems did the report identify at DHS?
The DHS Inspector General has found that the agency has 48 unclassified and 16 national security systems which did not have valid authority to operate.
The agency also has continued to use unsupported operating systems creating the possibility that “known or new vulnerabilities [could] be exploited on operating systems for which vendors no longer provide service patches or technical support.” One example is using Windows Server 2003, a product Microsoft quit supporting in 2015.
The DHS IG also found that the agency was not applying security patches in a timely manner for “critical and high-risk security vulnerabilities.”
That’s a lot of personal data for the American public being collected at just one agency that is apparently being left potentially vulnerable.
As long as the government continually fails to secure its IT systems, we can expect more data breaches in the future; it’s just a matter of when.
The Senate Subcommittee concluded its report by stating:
Despite major data breaches like OPM, the federal government remains unprepared to confront the dynamic cyber threats of today. The longstanding cyber vulnerabilities consistently highlighted by Inspectors General illustrate the federal government’s failure to meet basic cybersecurity standards to protect sensitive data. The Subcommittee will continue to track federal agency cybersecurity to ensure agencies meet FISMA’s primary legislative objective to secure government information systems.
A copy of the report is included below.