“In the past few years, we have seen significant breaches in cybersecurity which could affect critical US infrastructure,” the group explained in the 19-page report, which details the failing of specific federal cybersecurity efforts. “Those failures aren’t due to poor practices by the private sector. All of the examples…were real lapses by the federal government.”
The report gives several examples of such failings. The Nuclear Regulatory Commission for instance was found to be storing sensitive cybersecurity details for nuclear plants on an unprotected shared drive, making them more vulnerable to hackers and cyber-thieves. The Securities and Exchange Commission routinely exposed blueprints for the technology undergirding the New York Stock Exchange to hackers, including sensitive data about the computer networks in use and the NYSE’s cybersecurity measures. The info “could be extremely useful to a hacker or terrorist who wanted to penetrate the market’s defenses and attack its systems,” the report noted.
And last January, hackers gained access to U.S. Army Corps of Engineers computers and downloaded an entire non-public database of information about the nation’s 85,000 dams – including those that could kill Americans if they failed. The information included sensitive information about each dam’s condition, the potential for fatalities if breached, location and nearest city.
“In addition, hackers have penetrated, taken control of, caused damage to and/or stolen sensitive personal and official information from computer systems at the Departments of Homeland Security, Justice, Defense, State, Labor, Energy and Commerce; NASA; the Environmental Protection Agency; the Office of Personnel Management; the Federal Reserve; the Commodity Futures Trading Commission; the Food and Drug Administration; the US Copyright Office; and the National Weather Service,” the report said.
There were also more than 48,000 other cyber “incidents” involving government systems in 2012 alone which agencies detected and reported to the Department of Homeland Security.
“And one cannot ignore the universe of other intrusions that agencies could not detect: civilian agencies don’t detect roughly four in 10 intrusions, a, according to testing reported in 2013 by the White House Office of Management and Budget,” it added.
In short, the federal government’s track record is rather abysmal.
The report doesn’t offer specific recommendations for improving the governmental security posture – a different report from President Obama’s council of advisors on science and technology (PCAST) detailed many. But, Coburn and co. did point out one place to start working: unpatched software, that bugaboo of IT departments everywhere.
“While cyber- intrusions into protected systems are typically the result of sophisticated hacking, they often exploit mundane weaknesses, particularly out-of-date software,” the report found. “Even though they sound boring, failing to install software patches or update programs to their latest version create entry points for spies, hackers and other malicious actors.”
Last July, hackers used just that kind of known, fixable weakness to steal private information on over 100,000 people from the Department of Energy, leading to a rigorous audit of the agency.
“The department’s Inspector General blamed the theft in part on a piece of software which had not been updated in over two years, even though the department had purchased the upgrade,” the report noted.