May 10, 2022

Limited GovernmentPolicy

Revisiting America’s Embarrassing Cybersecurity Report Card

By: Caleb Larson

Far things are worse in childhood than coming home with a report card filled with failing grades. However, this fear is mostly healthy, as it motivates the child to avoid these consequences by working harder to achieve better grades. Parents must enforce consequences that a bad report card invites or else the child will continue to slack off in school. Unfortunately, our federal government has brought home a report card that raises serious concerns about the safety of the nation’s data and infrastructure. The federal agencies and departments that fail to implement proper and necessary cybersecurity standards must face sufficient scrutiny to improve or, a disastrous future awaits these bureaucratic government institutions and the American people who rely on them.

The United States Senate Committee on Homeland Security and Governmental Affairs released a report last August titled Federal Cybersecurity: America’s Data Still at Risk. The title cheekily references the previous 2019 report, Federal Cybersecurity: America’s Data at Risk, produced by the Permanent Subcommittee on Investigations. The earlier report’s damning conclusion states that, “Given the sustained vulnerabilities identified by numerous Inspectors General, the Subcommittee finds that the federal government has not fully achieved its legislative mandate under FISMA and is failing to implement basic cybersecurity standards necessary to protect America’s sensitive data.” This condemnation was based on investigations of eight federal agencies by their respective inspector general who found “systemic failures” and lack of “basic cybersecurity standards and protocols”.

The follow-up report looked at these eight agencies once again to find out how they had improved. These updated findings are even more appalling. One of the agencies, the Department of Homeland Security (DHS), was able to implement an “effective cybersecurity regime”. The other agencies “made minimal improvements” but ultimately, they “still have not met the basic cybersecurity standards necessary to protect America’s sensitive data.”

There are some notably panic-inducing highlights from the report. The State Department failed to deprovision, the process of removing any access to a network that a user’s account may have once they leave, thousands of employees who had access to both classified and unclassified networks. The Department of Transportation had no record of 14,935 IT assets, underscoring the important fact that you can only secure the assets that you know exist. One of the more frightening discoveries comes from the Department of Agriculture. It turns out that the agency had “a significant number of high vulnerabilities on the agency’s public facing websites that were unknown to the agency.” Nothing is more enticing to a hacker than known vulnerabilities on public facing assets. To summarize, the report card that the federal government brought home was worthy of a grounding to end all groundings.

These grades seem elementary, but their repercussions are much more impactful when the vulnerabilities they entail are exploited. In January of 2020 the U.S. Census Bureau’s remote access servers were compromised as a result of “missed opportunities” to limit their exposure to this type of attack. Its’ Office of Inspector General, the entity who identified these missed opportunities, also found that the bureau was slow to report the cyberattack, had insufficient logs for proper post-breach investigation, and was using an end-of-life operating system no longer supported by the vendor. The Department of State was also attacked in August, to such a degree that the Department of Defense felt the need to issue a warning that this could potentially be a “serious breach.” The August report rightly describes these findings as “stark.” How terrifying it is to know that the federal agencies put in charge of America’s data and infrastructure are struggling to meet the lowest bar of cybersecurity. 

There are many private companies that fail to provide these basics, a fact well known through the countless data breaches mentioned in the news. However, the one place that should be working the hardest to avoid falling prey to poor cybersecurity practices is the federal government. This is where accountability should come into play. Private companies do not have much leeway when dealing with data breaches. If their users’ data is compromised, they face large fines, such as the $80 million punishment served to Capital One as a result of a data breach in 2019. CEOs may spend sleepless nights worrying about a potential public relations and financial nightmare caused by a hack that could ultimately cost them their job or reputation.

It is a crude joke that America’s federal agencies face no such pressure despite similar, if not more catastrophic, failures. The 2019 report points out that in the preceding five years, a data breach was reported by the IRS, USPS, and even the White House. It also calls out the staggering 35,277 cyber incidents that were reported by federal agencies in 2017. These agencies also failed to abide by the November deadline to implement multi-factor authentication and data encryption that were set within President Biden’s cybersecurity focused executive order.

If the federal government wants to avoid future cyber disasters at the hands of adversarial nations and criminal organizations, then it must get serious about these reports that contain such dire findings and introduce substantial consequences for those responsible for delivering poor grades. Ask any child if they would feel comfortable bringing home a report card like this repeatedly and compare that response to the disregard given by federal bureaucrats. It should not take a child to see how this is unacceptable.