Several major federal agencies, which collect vast amounts of personal data about American citizens as part of their work, have routinely failed to adequately protect that information for years, according to a congressional report.
“After a decade of negligence, our federal agencies have failed at implementing basic cybersecurity practices, leaving classified, personal and sensitive information unsafe and vulnerable to theft,” Ohio Republican Sen. Rob Portman, chairman of the Senate Homeland Security Committee’s Subcommittee on Investigations, said in a statement. “The federal government can and must do a better job of shoring up our defenses against the rising cybersecurity threats.”
The report, published Tuesday, is based on a review of past inspector general reports at eight major U.S. federal departments: Department of Homeland Security, Department of State, Department of Transportation, Department of Housing and Urban Development, Department of Agriculture, Department of Health and Human Services, Department of Education and the Social Security Administration.
It said that the number of cyber incidents reported by federal agencies have grown substantially over the last decade to more then 35,000 reported incidents in 2017. The report also references a massive breach of personal information of federal workers in 2015 from the Office of Personnel Management.
But based on the IG reports, congressional researchers found the agencies still “currently fail to comply with basic cybersecurity standards,” including leaving systems unpatched and relying far too much on “legacy” systems — both of which create potential openings for hackers to slip in and steal Americans’ data.
In the case of the Department of Education, which the report says collects financial data on students and parents applying for college loans, an inspector general report said that the agency has been unable, since 2011, to “prevent unauthorized outside devices from easily connecting to the agency’s network.”
The Department of Housing and Urban Development keeps prospective homeowners’ financial records for loan considerations, but it “does not have a mature process for monitoring network and web application data exfiltration,” the report said, which could compromise access to personal information.
The Department of Homeland Security, which maintains travel records for U.S. citizens traveling to and from abroad and whose mission includes protecting the U.S. from cyberattacks, “[f]or the last ten fiscal years […] failed to appropriately remediate cyber vulnerabilities by ensuring security patches were properly applied,” the report said.
Representatives for the Departments of Education, Housing and Urban Development, and Homeland Security did not immediately respond to a request for comment for this report. In response to a 2018 DHS inspector general report that also criticized the DHS’s cybersecurity practices, DHS management said “corrective actions” were underway.
“While some federal agencies appear to have made progress in recent years, this report makes it clear that there is still much work to be done,” subcommittee Ranking Member Sen. Tom Carper, D-Del., said. “But we know that the threats posed by cyber-attacks continue to evolve and grow every day, so it is crucial that agencies across our government prioritize efforts to better protect their networks from hackers.”