U.S. officials have warned for years that the prospect of a cyberattack is the top threat to the nation and have sharply increased spending for computer security. Yet the report by the Republican staff of the Senate Homeland Security and Governmental Affairs Committee says that federal agencies are ill-prepared to defend networks against even modestly skilled hackers.
“As a taxpayer, I’m outraged,” said Alan Paller, who is research director at the SANS Institute, a cybersecurity education group, and reviewed a draft version of the report ahead of its official release. “We’re spending all this money and getting so little impact for it.”
The report draws on previous work by agency inspectors general and the Government Accountability Office to paint a broader picture of chronic dysfunction, citing repeated failures by federal officials to perform the unglamorous work of information security. That includes installing security patches, updating anti-virus software, communicating on secure networks and requiring strong passwords. A common password on federal systems, the report found, is “password.”
Obama administration officials quibbled with elements of the report but acknowledged that getting agencies to secure their systems against attack has been difficult.
“Almost every agency faces a cybersecurity challenge,” said Michael Daniel, special assistant to the president on cybersecurity policy. “Some are farther along than others in driving awareness of it. It often depends on whether they’ve been in the crosshairs of a major cyber incident.”
The report levels particularly tough criticism at the Department of Homeland Security, which helps oversee cybersecurity at other federal agencies. The report concluded that the department had failed even to update essential software — “the basic security measure just about any American with a computer has performed.”
“None of the other agencies want to listen to Homeland Security when they aren’t taking care of their own systems,” said Sen. Tom Coburn (Okla.), who as the ranking Republican on the committee oversaw the development of the report. “They aren’t even doing the simple stuff.”
The underlying problem, said Coburn and several outside experts, is the failure of federal agencies to hire top-notch information technology workers, pay them enough and give them enough clout to enforce routine security practices.
“It’s a low-status, often low-paid, high-stress position because people only notice systems administrators when something breaks,” said Steven Bellovin, a Columbia University computer science professor and former Federal Trade Commission technologist. “It becomes a very easy position to neglect.”
Higher up the chain of command, agency directors are rarely held accountable for security failures, experts said, because it is often unclear who is responsible. No penalties are mandated by law.
Take the bogus zombie alert, which was carried by television stations in Michigan, Montana and New Mexico. It highlighted flaws in the oversight of the Emergency Alert System, which is mandated by the Federal Communications Commission and managed by the Federal Emergency Management Agency.
Hackers discovered that some television stations had connected their alert-system equipment to the Internet without installing a firewall or changing the default password, as the company’s guide instructed, said Ed Czarnecki, an official with Monroe Electronics, which manufactured the equipment that was breached. He said those mistakes in elementary network security might have been prevented with more instruction from the government.
“Neither the FCC nor FEMA had issued clear guidelines on how to secure this gear,” said Czarnecki said.
Though the incident was seen as a prank, it highlighted weaknesses that could have been dangerous if hackers had broadcast misinformation during an actual emergency or terrorist attack, experts said. Monroe Electronics and the FCC have worked with affected stations to prevent a recurrence, they said.
The Department of Homeland Security said that it, too, has worked to resolve problems identified in the Senate report.
“DHS has taken significant measures to improve and strengthen our capabilities to address the cyber risks associated with our critical information networks and systems,” S.Y. Lee, a department spokesman, said in an e-mailed statement.
Other problems identified in the Senate report:
●In every year since 2008, the GAO has found roughly 100 weaknesses in the computer security practices of the Internal Revenue Service, which took an average of 55 days to patch critical system flaws once they were identified. It is supposed to take only three days to do so.
●Hackers have cracked the systems of the Energy Department, gaining access to the personal information of 104,000 past and present department employees.
●The Nuclear Regulatory Commission, which keeps data on the design and security of every nuclear reactor and waste facility in the country, “regularly experiences unauthorized disclosures of sensitive information.” An agency spokeswoman issued a statement saying it “takes information security very seriously and works continuously toward improvements.”
●And at the Securities and Exchange Commission, laptops containing sensitive information were not encrypted and staffers sometimes transmitted private information about financial institutions on personal e-mail accounts. On at least one occasion, an SEC staffer logged onto an unsecured WiFi network at a convention of computer hackers.
While the report was released by Coburn, a Republican, the Democratic chairman of the Senate committee concurred with many of its findings.
“Federal agencies still have more work to do in this area, and the laws that govern the security of our federal civilian networks need to be reformed,” said Emily Spain, spokeswoman for Sen. Thomas R. Carper (D-Del.).
Still, Washington has been slow to act. A 2000 law to improve government cybersecurity did not mandate consequences for agency lapses. In recent years, numerous bills calling for better computer and network security have languished in Congress. The White House, meanwhile, is pushing to give the Department of Homeland Security more authority to enforce cybersecurity rules across government.
“At the end of the day, it’s a lot like the problem you have in businesses,” said James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies. “The CEOs don’t see cyber as their mission, as a fundamental problem. You don’t see your job as running a secure network. If something goes wrong, nothing happens to you.”