When hacker’s broke into systems at the Office of Personnel Management (OPM), the records of 21.5 million current and former federal employees and applicants for a U.S. security clearance were exposed. In light of the biggest public hacking, we should expect that OPM and other federal agencies would be diligently working to shore up their IT systems, but unfortunately, that has yet to happen.
In a response to a Homeland Security request, the Government Accountability Office (GAO) tested federal systems that holds sensitive information (called high impact) at 24 federal agencies. It examined federal policies, standards, guidelines, and reports; and interviewed federal officials. GAO also tested an evaluated the security controls over eight high-impact systems at four agencies.
All of the agencies admitted that they had suffered attacks and were more-or-less under constant attack. Cyberattacks from “nations” were most frequent and most serious. Attacks via email were most common and in almost 500 of more than 2,200 incidents at 11 of the 18 agencies, the installation of malicious code was involved.
GAO also found that four agencies failed to implement critical security precautions: the Nuclear Regulatory Commission, NASA, the Department of Veterans Affairs (VA) and OPM. According to the report, almost all of their systems had weakness:
… all the agencies reviewed had developed a risk assessment for their selected high-risk systems. However, the four agencies had not always effectively implemented access controls. These control weaknesses included those protecting system boundaries, identifying and authenticating users, authorizing access needed to perform job duties, and auditing and monitoring system activities. Weaknesses also existed in patching known software vulnerabilities and planning for contingencies. An underlying reason for these weaknesses is that the agencies had not fully implemented key elements of their information security programs, as shown in the table.
The report notes that until these agencies pull up their socks, they will continue to put the sensitive information of Americans at risk:
Until the selected agencies address weaknesses in access and other controls, including fully implementing elements of their information security programs, the sensitive data maintained on selected systems will be at increased risk of unauthorized access, modification, and disclosure, and the systems at risk of disruption.
In response, the GAO recommends that these agencies be diligent to implement the security plans, practices, and programs at NASA, NRCA, VA and OPM. They generally agreed with the report recommendations with the exception of OPM.
The agency targeted by the largest federal hacking concurred that they need to update security and remedial action plans. They partially agreed that they need to better train and track contractors. However, they challenged how GAO assessed their security controls, questioning how they arrived at their conclusions. While the GAO said they provided enough information on their methodology and results for anyone to draw the same conclusions. We won’t choose sides in this he-said back-and-forth.
The takeaway is that federal agencies sit on a pit of gold (private information of Americans) and they need to do better to protect that treasure trove from cyberattacks. Whether attackers are nation-states with political ends in mind or hackers looking to steal identities, these agencies need to do better. We must demand from these agencies: if you take, you better protect it.