Report Shows US Government Agencies Aren’t Doing Enough on Cybersecurity

• The majority of the US government agencies are not compliant to the NIST framework.
• The yearly audits that are carried out to them signify an alarming situation that just won’t change.
• Many of them use systems that date back to decades ago, and which are used in critical roles.

A report by the subcommittee on investigations of the US Homeland Security and Government Affairs paints a very dire picture for federal cybersecurity. As it is noted, government agencies and public organizations aren’t even taking the basic steps required in order to secure the personally identifiable information of the citizens, as well as other critically important types of information. In the same time that government agencies fall victims to ransomware attacks that force them to pay large amounts of the taxpayers’ money, the agencies still use obsolete software and hardware that comes with a bottomless list of possible security vulnerabilities.

Government agencies, as well as organizations in the private sector, are expected to comply to the NIST (National Institute of Standards and Technology) Cybersecurity Framework, but the committee found that many agencies fail to follow even the basic of these guidelines. Seven out of the eight agencies reviewed by the subcommittee failed to protect people’s PII, five out of the eight agencies don’t maintain any IT assets, six out of eight don’t install security patches, and all eight agencies examined overly relied on legacy systems. The agencies that were audited are DHS, DOT, HUD, USDA, HHS, Education, SSA, and the DOS.

The key findings of the report that characterize the current situation are the following:

• No agencies applied security patches in a timely manner.
• The Department of Homeland Security (DHS) is still using Windows XP and Windows Server 2003, although Microsoft has stopped supporting them since 2014.
• Six agencies can’t tell if someone stole data from their networks and/or systems.
• During 2017, federal agencies reported more than 35 thousand cybersecurity incidents.
• From 2011 until today, the Department of Education is failing to secure its network from getting access by unauthorized users.
• The Social Security Administration (SSA) citizen data storing system was written with the obsolete COBOL language, which dates back to 1959.
• SSA has failed the subcommittee’s privacy audits eight times in the last ten years.
• The visa application and validation system used by the State Department is almost three decades old.
• The Department of Transportation (DOT) is characteristically slow to process unresolved security incidents, taking them over three months for each.
• DOT is still using a computer that was commissioned in 1971, and which is responsible for the management of its “Hazardous Materials Information System”.

Do you have any comments to make on the above? Let us know of your opinion in the dedicated section beneath, or share your views with our online community on our social media, on Facebook and Twitter.