Cybersecurity problems linger at low-performing federal agencies
A Senate subcommittee analysis of a decade of annual inspectors general reports shows that at the 7 worst-performing federal agencies, known cybersecurity issues can linger for as long as a decade.
The big picture: The report, compiled by the Permanent Subcommittee on Investigations, tracked cybersecurity problems in 7 agencies with the lowest ratings in a recent federal audit, as well as the Department of Homeland Security, which exercises some oversight control. Many of the problems were common across agencies.
Details: The 7 low-performing agencies were the Social Security Administration and the Departments of State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services and Education.
- At the Department of Education, for example, the inspector general identified in 2011 that unauthorized outside devices were able to connect to the network. That problem wasn't addressed until last year, and even then the network allowed connections for 90 seconds — enough to open a doorway for hackers.
- Agriculture, Transportation, and HHS all had recurring or unaddressed problems that were a decade old. State had problems stretching back 5 years.
- Every agency audited used at least some legacy systems so outdated that the vendors no longer provide security patches. Six agencies did not patch in a timely manner.
Between the lines: The report identifies several problems that allow cybersecurity issues to linger in many agencies.
- There is a global cybersecurity talent shortage, and many of the less glamorous agencies struggle to get the best talent.
- Agency cybersecurity executives often don't have access to their directors' ears or congressionally mandated authority to make decisions. There's also often high turnover at those jobs.
- Agencies struggle to make needed changes as a result of tight budgets.
What's next: The report suggests that agencies centralize operations, prioritize staffing and embrace different budgeting models.