Federal agencies allowed over 48,000 "significant breaches" in 2012, according to a report newly released by the Minority staff on the Homeland Security and Governmental Affairs Committee.
Under the ranking member's name, Senator Tom Coburn, this examination into the federal government’s record regarding "cybersecurity and critical infrastructure" seems important, especially as the recent Examiner story revealed the intelligence warning, and subsequent retraction, regarding malicious code being inserted into ObamaCare by software writers in Belarus.
Since the White House bestowed authority upon the Department of Homeland Security in 2010 for the "cybersecurity of all federal government networks," concerning issues arise from the report:
"... the DHS Inspector General found that the DHS computer security experts who would fulfill that directive had serious cyber vulnerabilities in their own systems. The IG found hundreds of vulnerabilities on the DHS cyber team’s systems, including failures to update basic software like Microsoft applications, Adobe Acrobat and Java, the sort of basic security measure just about any American with a computer has performed."
Failure to update creates entry points for hackers the report states.
Stated in the document is that "... DHS lags behind many of its agency peers." As an example it is also stated that in 2013 "... DHS rated below the government-wide average for using anti-virus software or other automated detection programs encrypting email, and security awareness training for network users."
And that's just DHS. Here are some of the rest:
Also mentioned as being "dangerously slow to install crucial software updates and patches," is the Internal Revenue Service. Said the writers of the Senate report:
"For years, the Government Accountability Office (GAO) has also warned IRS its computers are not safe — that in fact, they are dangerously vulnerable to intrusion and data theft."
However, according to this Senate examination, "every year since 2008, GAO has identified about 100 cybersecurity weaknesses at the IRS which compromise the agency’s computers and data, often repeating weaknesses it cited the previous year. Every year, the IRS claims to fix about half of them, but GAO says even those disappointing numbers aren’t right, because IRS doesn’t confirm the actions they take actually fix the problems. And every year, GAO returns and finds around 100 problems with IRS’ cybersecurity."
And since the agency "collects federal taxes owed by any person or business in the United States, and its computers hold more sensitive data on more Americans than those of perhaps any other federal component," this is a problem.
According to the report:
"In addition to traditional records on employment, income and identifier information, the IRS reportedly collects a huge volume of personal information on Americans’ credit card transactions, eBay activities, Facebook posts and other online behavior. Unfortunately, the IRS has struggled with the same serious cybersecurity issues for years, and has moved too slowly to correct them."
"In March 2012, IRS computers had 7,329 “potential vulnerabilities” because critical software patches had not been installed on computer servers which needed them. At one point in 2011, over a third of all computers at the IRS had software with critical vulnerabilities that were not patched. IRS officials said they expect critical patches to be installed within 72 hours. But TIGTA found it took the IRS 55 days, on average, to get around to installing critical patches. Most recently, in September 2013, TIGTA re-affirmed that the IRS still “has not yet fully implemented a process to ensure timely and secure installation of software patches.”
The private information on over 100,000 individuals was stolen, according to the Senate report, from the Department of Energy:
"Even though they sound boring, failing to install software patches or update programs to their latest version create entry points for spies, hackers and other malicious actors. Last July, hackers used just that kind of known, fixable weakness to steal private information on over 100,000 people from the Department of Energy. The department’s Inspector General blamed the theft in part on a piece of software which had not been updated in over two years, even though the department had purchased the upgrade."
Other big-info targets
Pulled directly from the Senatereport are these agencies:
• Nuclear Regulatory Commission - "stored sensitive cybersecurity details for nuclear plants on an unprotected shared drive, making them more vulnerable to hackers and cyberthieves."
• Securities and Exchange Commission - "routinely exposed extremely sensitive data about the computer networks supporting the New York Stock Exchange, including NYSE’s cybersecurity measures. The information the SEC exposed reportedly could be extremely useful to a hacker or terrorist who wanted to penetrate the market’s defenses and attack its systems."
• U.S. Army Corps of Engineers - hackers gained access to "... computers and downloaded an entire non-public database of information about the nation’s 85,000 dams — including sensitive information about each dam’s condition, the potential for fatalities if breached, location and nearest city."
• Emergency Broadcast System - hackers broke into the EBS, operated by the FCC and "... caused television stations in Michigan, Montana and North Dakota to broadcast zombie attack warnings." They said: “Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living." The familiar warning beep even sounded.
• National Institute of Standards and Technology (NIST) - hackers managed to exploit "a vulnerability on web servers" belonging to NIST.
Add to these to those listed above:
In addition, hackers have breached and commandeered, caused damage to and/or stolen sensitive personal and official information from computer systems at the Departments of Justice, Defense, State, Labor, and Commerce; NASA; the Environmental Protection Agency; the Office of Personnel Management; the Federal Reserve; the Commodity Futures Trading Commission; the Food and Drug Administration; the U.S. Copyright Office; and the National Weather Service, according to the report.
"These are just hacks whose details became known to the public, often because the hackers themselves announced their exploits. Largely invisible to the public and policymakers are over 48,000 other cyber “incidents” involving government systems which agencies detected and reported to DHS in FY 2012."
Also mentioned were "... the universe of other intrusions that agencies could not detect: civilian agencies don’t detect roughly 4 in 10 intrusions, according to testing reported in 2013 by the White House Office of Management and Budget."