The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: White House cybersecurity report shows federal agencies still struggling to get secure

Placeholder while article actions load

with Bastien Inzaurralde


The White House and the Department of Homeland Security have finished a governmentwide review examining the security of federal agencies, and the results aren’t pretty. 

Dozens of federal agencies have cybersecurity programs that aren’t properly equipped to deal with cyber intrusions in their networks, according to a new report released by the White House Office of Management and Budget. Of the 96 federal agencies examined, a whopping 71 were relying on cybersecurity programs deemed “at risk or high risk.”

President Trump came to office promising cybersecurity would be a major priority — vowing on the campaign trail to order a review of U.S. cyberdefenses and to confront malicious cyber activity by foreign governments. And this report was commissioned last May under his sweeping executive order on cybersecurity, which broadly sought to hold agency heads accountable for protecting their networks.

Trump's relative prioritization of federal cybersecurity was welcomed by many experts in the wake of the massive Office of Personnel Management breach that exposed the personal information of some 22 million people in 2014, and in light of the intelligence community’s fresh concerns about Russia’s election interference during the 2016 presidential election. 

But one year later, the results of this report spotlight how the federal government is still struggling to organize its cybersecurity efforts. And former White House and DHS officials worry that the Trump administration lacks a path forward without proper leadership at the top. 

"Things aren’t improving as fast as we need them to," said Ari Schwartz, who served on the National Security Council during the Obama administration as senior director for cybersecurity. "We’re behind where we need to be to be successful in preventing attacks."

The report found that 12 agencies had “high risk” programs, meaning key cybersecurity tools weren’t in place or weren’t deployed sufficiently. Fifty-nine agencies had “at risk” programs, meaning some of the right policies were in place but there were “significant gaps” in terms of security. OMB also noted that federal agencies lacked the visibility into their own networks that would help them detect attempts to steal data and respond to other cyber incidents.

Although the report doesn’t identify which agencies had cybersecurity problems, the scope of the issues described in the report makes it clear that both small and large agencies alike have a ton of work to do, said Stewart Baker, former assistant secretary for policy at DHS. 

“It would be comforting but wrong to assume that the agencies at risk are pipsqueaks like the National Endowment for the Arts or the Federal Mediation Service,” Baker told me. “We’re at that awkward stage where every agency is aware of the threat but few of them have changed their budget priorities to counter it. That, plus the fact that some of the most mission-critical applications are the hardest to patch, means that many of the at-risk programs are essential to the functioning of the government.”

Making matters more complicated, the White House decided in recent weeks to eliminate the role of cybersecurity coordinator, a position created under President Barack Obama to oversee cybersecurity policy across the federal government. 

In theory, orchestrating an action plan after this report would be right in the cyber czar’s bailiwick. But with former cybersecurity coordinator Rob Joyce returning to the National Security Agency and no replacement on the way, there appears to be no obvious advocate in the White House to help agencies improve the very cybersecurity programs the report calls deficient. 

“That’s the type of thing that the cyber coordinator used to be in charge of,” Schwartz said. “Getting rid of that complicates the matter and makes it harder to do that kind of management.”

This won't be a simple fix: The 59 "at risk" agencies are still learning how to respond to digital threats, Schwartz said. Even more troubling are the dozen "high risk" agencies. “It means that they’re not improving,” Schwartz told me. “Based on my experience, it would mean that these are agencies that don’t have the ability to fix their problems.”

The report offered several recommendations to help agencies better protect themselves against digital threats. They include: using the same language across agencies to identify and categorize cyberthreats, standardizing certain cybersecurity tools to help control costs, consolidating the teams within agencies that respond to cyberthreats, and increasing accountability for top agency officials. 

There is one bright spot in the report, said Frank Cilluffo, a former homeland security adviser to President George W. Bush: It offers “a snapshot on where the federal government writ large currently stands and offers a process on how to improve.”

“The bad news," he said, "is the results themselves are disappointing and highlight just how much more still needs to be done.”


PINGED: A federal judge in San Francisco on Tuesday sentenced Karim Baratov, a 23-year-old hacker, to five years in prison and a $250,000 fine for his role in the massive Yahoo data breach in 2014, the Wall Street Journal's Robert McMillan reports. “Mr. Baratov wasn’t believed to have been involved in the Yahoo hack itself but was a hacker-for-hire used as part of a broader information-gathering operation tied to Russia, according to prosecutors,” McMillan writes.

Federal authorities said Baratov, who has dual Canadian and Kazakh nationality, hacked more than 11,000 Web email accounts from 2010 until 2017, and about 80 of those breaches were related to the Yahoo hack, according to McMillan. “The last 14 months have been a very humbling and an eye-opening experience,” Baratov said before his sentencing, as quoted by McMillan. “I did not know how much damage and trouble I had caused. There’s no excuse for my actions.”

“It's difficult to overstate the unprecedented nature of this conspiracy, in which members of a foreign intelligence service directed and empowered criminal hackers to conduct a massive cyber-attack against 500 million victim user accounts,” John F. Bennet, special agent in charge of the FBI’s San Francisco field office, said in a statement. “Today's sentencing demonstrates the FBI's unwavering commitment to disrupt and prosecute malicious cyber actors despite their attempts to conceal their identities and hide from justice.”

PATCHED: While the meeting between Trump and Kim Jong Un gets scheduled, then canceled, then maybe rescheduled, the U.S. government continues to probe North Korea's cyber capabilities. The Department of Homeland Security and the FBI on Tuesday said they identified two kinds of malware called Joanap and Brambul that the North Korean government uses in cyberattacks. The statement also says the U.S. government refers to the North Korean government's cyberattacks as “Hidden Cobra.”

“According to reporting of trusted third parties, HIDDEN COBRA actors have likely been using both Joanap and Brambul malware since at least 2009 to target multiple victims globally and in the United States — including the media, aerospace, financial, and critical infrastructure sectors,” according to the statement. Joanap is a remote access tool and Brambul is a “Server Message Block” worm, the statement says. Additionally, FBI and DHS said users should “immediately” report any activity linked to the two kinds of malware that they encounter.

PWNED: The government of Papua New Guinea says it will ban Facebook — for one month. Sam Basil, Papua New Guinea's communications minister, said the one-month shutdown will provide a window to spot fake accounts and users who spread pornographic content and disinformation, The Washington Post's Hamza Shaban reports. Facebook said in a statement to The Post that the company has "reached out to the government to understand their concerns."

Basil also said Papua New Guinea may consider creating a social network for its citizens that would replace Facebook, Shaban writes. "If there need be, then we can gather our local applications developers to create a site that is more conducive for Papua New Guineans to communicate within the country and abroad as well," Basil told the Papua New Guinea Post-Courier.

Aim Sinpeng, a political scientist at the University of Sydney, said the temporary ban raises questions about the government's intent because it isn't necessary to shutdown Facebook to conduct research on it, the Guardian's Eleanor Ainge Roy reports"One month is an interesting time limit for a ban, I am not exactly sure what they think they can achieve, and why a ban is necessary," Sinpeng told Ainge Roy. "You can do Facebook analysis without it. And what data are the government collecting? If they are concerned about fake news there are many ways to do it without issuing a ban on a platform."

— More cybersecurity news:

Cohen Prosecutors to Get Seized Phone Data by Wednesday (Bloomberg)


— “Trump said Tuesday that he would proceed with tariffs on $50 billion in Chinese imports and introduce new limits on Chinese investment in U.S. high-tech industries as part of a broad campaign to crack down on Chinese acquisition of U.S. technology,” The Post’s David J. Lynch reports.

The White House cited “cyber intrusions” in U.S. computer systems and “outright cyber theft” among the Trump administration’s grievances against Chinese trade practices. “China conducts and supports cyber intrusions into United States computer networks to gain access to valuable business information so Chinese companies can copy products,” the White House said in a statement.

— The Trump administration may release a report today on fighting botnets, sources from the private sector told Inside Cybersecurity’s Charlie Mitchell. “Sources said the report will call on the departments of Commerce and Homeland Security to draft a ‘roadmap’ on how to prioritize botnet-related activities amid a plethora of other government and industry cybersecurity initiatives,” Mitchell writes.

— Homeland Security Secretary Kirstjen Nielsen met with British Home Secretary Sajid Javid on Tuesday to discuss cooperation on counterterrorism. Nielsen also “highlighted” DHS’s new cybersecurity strategy, according to a statement from the agency.

— Cyberattacks hit the Idaho state government twice in three days this monthRyan Johnston writes in StateScoop. "The first attack, on May 9, took hold of one tax commission employee's computer through a phishing email sent from a local business," Johnston writes. "The business wasn't aware that the email contained a malicious link, according to Renee Eymann, public information officer for the state, and neither was the state employee who clicked on the link and entered government credentials."

The second attack came May 11 when a group of Italian hackers called Anon+ targeted the state legislature's website and an online courts portal, but no data was compromised, Jeff Weak, Idaho's information security director, told Johnston. "Officials say they believe the attacks were unrelated, and that the state's agencies are attacked daily by actors looking for weak spots," Johnston writes.

— More cybersecurity news about the public sector:

Central Command Needs High-Level Middle East Cyber Ops Advisers, Fast (Nextgov)


How a Pentagon Contract Became an Identity Crisis for Google (The New York Times)

Facebook’s new political ad policy is already sweeping up non-campaign posts (The Verge)

These Are Facebook’s Policies for Moderating White Supremacy and Hate (Motherboard)


— "A sophisticated Chinese cybercrime group is using old, leaked computer code from a notorious cyber-arms dealer known as HackingTeam to breach thousands of companies, mostly based in Asia, according to new research by Israel cybersecurity firm Intezer," CyberScoop's Chris Bing reports. "During the past year and a half, the Iron group has developed multiple types of malware (backdoors, crypto-miners, and ransomware) for Windows, Linux and Android platforms," Intezer's Omri Ben Bassat wrote in a blog post on Tuesday, referring to the Chinese hacking group as Iron group. "They have used their malware to successfully infect, at least, a few thousand victims."

More international cybersecurity news: 

Russia asks Apple to ban messaging app Telegram (The Hill)

At Beijing security fair, an arms race for surveillance tech (Reuters)

EU GDPR's focus on privacy could unintentionally, and adversely, rewrite data security (Inside Cybersecurity)



Coming soon


A day of making "Late Night with Seth Meyers":

From the writers' room to rehearsal to show time, here's a behind-the-scenes look at how "Late Night with Seth Meyers" is made in the Trump era. (Video: Erin Patrick O'Connor, Nicki DeMarco/The Washington Post)

These incidents stir conversations about "overpolicing":

The nation is embroiled in a debate about the disparate treatment of black people after several incidents of apparent “overpolicing” across the U.S. (Video: Taylor Turner/The Washington Post)

This televangelist wants donations for a $54 million jet:

Louisiana televangelist Jesse Duplantis says he wants a new jet to serve Jesus Christ. The price tag? About $54 million, and he's asking supporters to donate. (Video: Victoria Walker/The Washington Post)