According to a US Senate report, seven out of eight federal agencies fail to protect critical data due to inadequate cyber security.
The bipartisan report revealed details of an investigation by the Senate Committee on Homeland Security and Government Affairs into cyber security measures in the federal government.
"What this report finds is stark," said the document, titled Federal Cybersecurity: America's Data at Risk. "Inspectors general identified many of the same issues that have plagued Federal agencies for more than a decade. Seven agencies made minimal improvements, and only DHS managed to employ an effective cybersecurity regime for 2020."
The report examined Agriculture, Education, Health and Human Services, Homeland Security, Housing and Urban Development, State, Social Security, and Transportation. It follows a similar investigation into the same eight agencies in 2019 and shows little progress.
Most agencies reviewed still failed to install security patches quickly. At least seven of the eight agencies, including the DHS, are still using legacy systems that no longer receive vendor support, rendering them vulnerable to cyber attacks, warned the report. Seven of the agencies also failed to maintain proper asset inventories, it added.
The document lists several failings across the agencies. The State Department could not provide documentation for 60% of sample employees with access to its classified network. It also failed to delete thousands of accounts for employees who had left the agency.
RELATED RESOURCE
Security awareness training strategies for account takeover protection
Why you need an inside-the-perimeter strategy for internal threats
The report added that penetration testers stole sensitive personal information, including 200 credit card numbers, from the Department of Education without employees noticing. Plus, the Department of Agriculture had "a significant number of high vulnerabilities" on its public-facing websites that the agency didn't know about.
Recommendations from the Committee included central coordination for cyber security through a government-wide office that handles the issue for the federal government. The Office of Management and Budget (OMB) should also adopt a risk-based budgeting model that would allocate funds more effectively to close loopholes most likely to be exploited, it added.
In May, the White House issued an executive order addressing cyber security weaknesses across the federal government. That sought to address IT supply chain risk, which the Government Accountability Office warned was lacking across federal agencies in December.
-
Licensed mmWave: Opportunity or overhead?Industry Insights Ofcom’s latest mmWave auction unlocks major new capacity for 5G and FWA, offering a faster, more flexible complement to fiber - especially in dense urban areas
-
CISA issues alert as China-linked hackers exploit Brickstorm malware to target VMware serversNews Organizations, particularly in the critical infrastructure, government services, and facilities and IT sectors, need to be wary of Brickstorm
-
‘All US forces must now assume their networks are compromised’ after Salt Typhoon breachNews The announcement marks the second major Salt Typhoon incident in the space of two years
-
UK cyber experts on red alert after Salt Typhoon attacks on US telcosAnalysis The UK could be next in a spate of state-sponsored attacks on telecoms infrastructure
-
Healthcare data breaches are out of control – here's how the US plans to beef up security standardsNews Changes to HIPAA security rules will require organizations to implement MFA, network segmentation, and more
-
The US could be set to ban TP-Link routersNews US authorities could be lining up the largest equipment proscription since the 2019 ban on Huawei networking infrastructure
-
US government IT contractor could face death penalty over espionage chargesNews The IT pro faces two espionage charges, each of which could lead to a death sentence or life imprisonment, prosecutors said
-
US identifies and places $10 million bounty on LockBit, Hive ransomware kingpinNews Mikhail Pavlovich Matveev was linked to specific ransomware attacks, including a 2021 raid on the DC police department
-
Breach at US Transportation Department exposes 240,000 employee recordsNews An investigation is underway into the breach, which affected former and current employee data
-
IRS mistakenly publishes 112,000 taxpayer records for the second timeNews A contractor is thought to be responsible for the error, with the agency reportedly reviewing its relationship with Accenture
