Federal Cybersecurity: America’s Data at Risk
The 2019 report completed by the Permanent Subcommittee on Investigations (Subcommittee) showcases weaknesses within agencies’ cybersecurity standards. In short, the agencies’ inspectors highlighted systemic failures across eight key Federal agencies, regarding how they were not in compliance with basic standards and protocols. I don’t know about you but this sent chills up my spine! What? Why? Systemic? The issues arising come from older legacy computer systems which are costly to maintain and at times difficult to update, and in some cases frozen in time because the vendor no longer supports the version of the product, End of Life anyone?
Sensitive Data – Ripe for Picking!
Personal Identifiable Information is any data that can identify you, directly. Think about your name, birthdate, address, and the list goes on; All of these when combined can identify you but also can lead to identity theft. Why should you care? Well, once you have your identity stolen and you have to go over a mountain of paperwork and processes to undo the damage, your perspective changes quickly. We should protect our private data not only from domestic threats but from foreign threats as well. Hackers (state-sponsored) are able to find these system flaws and abuse them to gain access to the data.
The report for 2021, discusses Russian and Chinese hackers breaching multiple Federal agencies, and at this time, it is still unclear what information and data were accessed during a nine-month period. The aftermath of the FireEye breach resulted in a more extensive breach, and all after the 2019 report was released showing systemic failures. Some of the most interesting portions of the report include the methods used by state-actors to infiltrate the agencies by using supply chain attacks. Pulse Connect Secure a remote access software was used by Chinese hackers, and the report states “exploited vulnerabilities.” There was no mention of any misconfiguration related to the software, another reason to keep your software and systems up to date with patches and firmware.
A direct copy from the report (page, III):
- Seven agencies failed to provide for the adequate protection of PII.
- Five agencies failed to maintain accurate and comprehensive IT asset inventories.
- Six agencies failed to timely install security patches and other vulnerability remediation actions designed to secure the application.
- All eight agencies used legacy systems or applications that are no longer supported by the vendor with security updates resulting in cyber vulnerabilities for the system or application.
- Two years after the initial report, seven agencies still fail at effectively securing data.
Another statement that should alarm you is the SSA did not sufficiently protect PII or apply appropriate access management controls. Who was even accessing your data in the SSA, they couldn’t tell you either? The biggest component here is updating software/firmware and to ensure these actions are taking place with having accountability. NIST – National Institute of Standards and Technology as well as CISA – Cybersecurity & Infrastructure Security Agency both have multiple publications on the importance of keeping systems updated and maintained. The time for “If it’s not broke don’t fix it” has come to an end and moving legacy frameworks into modern frameworks is paramount to National Security.
According to the report, the HHS (Health & Human Services) agency scored a “C” rating while the Social Security Administration scored a “D”. While this seems dismal, at least they didn’t score an “F”. Much has already changed within the agencies, many are taking action. Reading further into the report you’ll come to the last paragraph on page 11 where you’ll find “NCPS is unable to detect intrusions for which it does not have a valid or active signature deployed.” The majority of the instruction prevention and detection system is still relying heavily on signature-based detection mechanisms. Determined in 2016, fast forward to 2018 and DHS made improvements to NCPS to detect malicious activity in the network traffic otherwise missed by traditional signature-based methods, moving to include the use of open-source information.
Even with those enhancements, the GAO determined NCPS was unable “to effectively detect intrusions across multiple types of traffic.” What was causing a further breakdown, if you wondered if it was up to metrics you’d be correct. NCPS was not giving any metrical data to the agencies to help identify how well the system was actually working. Take a peek at page 15 of the report and check out the report card, it’s eye-opening.
The Future of Federal Cybersecurity
I’ll spare you the details but the rest of the report houses details specific to each agency. One thing is very clear, the future is going to be brighter. Something all agencies are going to start implementing is the measurement and effectiveness of their security operations. The article briefly touched on Artificial Intelligence but that’s certainly going to play a part in the future as we move away from traditional signature-based detections. As a leader in Cybersecurity, it was refreshing to read the report and to see the bright side of it, the future can only be better, and we are in a position to help influence change, bring innovative ideas and recommendations into our contracts. Most importantly we can inspire and help build the next generation of cybersecurity professionals who will have a keen focus on the pitfalls of the past and to keep security as an ever-evolving framework never to become stagnant again.