A new Senate staff report on the state of federal cybersecurity presents some uncomfortable truths about the state of data security among federal agencies. The report, issued by the Committee on Homeland Security and Governmental Affairs and titled Federal Cybersecurity: America’s Data Still at Risk, is a follow-up to an earlier sub-committee report from 2019 that found substantial weaknesses in key federal agencies.
The problems identified in the previous report included several basic digital hygiene best practices. Federal agencies did not adequately protect Americans’ personally identifiable information. They also did not maintain inventories of software and hardware on federal computer networks. Security patches that mitigate known vulnerabilities were not updated, and the use of legacy computer system was widespread.
Poor Data Security Record
Federal agencies have taken a battering in the last year from widespread and escalating cyberattacks. An attack by Russian operatives on supply chain software manufacturer SolarWinds saw the infiltration of multiple government agencies including parts of the Pentagon, the Department of Homeland Security, the State Department, and the Department of Energy.
Other attacks soon followed. The Senate report references the attack in March 2021 by suspected Chinese hackers who exploited security weaknesses in Pulse Secure VPN and gained access to data from five federal agencies. In 2020 alone, the White House documented nearly 31,000 IT security incidents throughout the Federal Government, up 8% over the previous year.
The Senate report gave an average grade of C- to the eight federal agencies reviewed. Only the Department of Homeland Security was determined to have established an effective cybersecurity policy. In addition to the lack of a centralized point of accountability for cybersecurity failures at the federal level, the report noted the following.
Federal agencies continued using IT systems that had previously been designated as unauthorized, as well as legacy systems no longer supported by vendor security updates. Sensitive data was not encrypted to prevent unauthorized access. Also, departments failed to implement recommended two-factor authentication.
The U.S. State Department received a grade of D for its failure to meet the requirements of four of the five function areas established by the report auditors. Of particular concern for auditors was its failure to document user access agreements for as much as 60 percent of employees with access to classified information. Moreover, thousands of classified and sensitive accounts remained active after long terms of inactivity, and even after employees had quit, retired, or were dismissed.
Shortly after the Senate report was released, reports emerged about a cybersecurity incident at the State Department. No specific details have yet been released, and the incident has not done anything to disrupt ongoing department operations. But the timing puts an uncomfortable spotlight on known vulnerabilities within the department and across the Federal Government.
Concern over cybersecurity vulnerabilities has escalated to such a degree that President Biden last week convened a meeting at the White House in which he enlisted the help of Big Tech leaders to solve the country’s most pressing cybersecurity concerns. President Biden noted that much of the country’s critical infrastructure is privately owned, and that the Federal Government needed assistance in meeting evolving risks.
Taking Data Security Seriously
No organization, public or private, is immune to cyberattacks. The frequency with which governments, corporations, healthcare providers, and critical infrastructure endure data breaches and ransomware attacks illustrates the evolving sophistication of cybercriminals to defeat even the most technologically advanced systems of detection and mitigation.
But as most cybersecurity analysts agree, including the auditors responsible for the Senate staff report, organizations of any size can follow basic data security steps. These include offline encrypted backup storage, implementing hardware-encrypted portable storage drives, enabling remote drive management, and hardening IT network endpoints.
SecureData’s SecureDrive and SecureUSB external storage devices are FIPs-validated, OS/host independent, and authenticate via on-board alphanumeric keypad and PIN, or through a secure mobile app and Bluetooth connection. Our BT product line is remote management ready for even higher levels of security. An RM license gives IT administrators total control over where, when, and how your most sensitive data can be accessed.
Call SecureData at 424-363-8535 to request a free demonstration of our software and hardware security solutions. Our data security specialists can help you implement a sensible and effective data security strategy.