The Washington PostDemocracy Dies in Darkness

It’s not just OPM: Cybersecurity across the federal government is pretty awful

The nation is still reeling from the revelation that hacks at the Office of Personnel Management exposed the personal data of 22.1 million people. But government audits reveal that the agency isn't alone: Basically the whole government is struggling to protect its computer systems.

Under a 2002 law, federal agencies are supposed to meet a minimum set of information security standards and have annual audits of their cybersecurity practices. OPM's reviews showed years of problems. 

[Why OPM should have seen the latest cyberattack coming]

But the issue is far more widespread than with just one agency. According to the Government Accountability Office, 19 of 24 major agencies have declared cybersecurity a "significant deficiency" or a "material weakness." Problems range from a need for better oversight of information technology contractors to improving how agencies respond to breaches of personal information, according to GAO.

"Until federal agencies take actions to address these challenges—including implementing the hundreds of recommendations GAO and agency inspectors general have made—federal systems and information will be at an increased risk of compromise from cyber-based attacks and other threats," the watchdog agency said in a report earlier this month.

GAO also noted the "sharp" increase in information security incidents reported by federal agencies in recent years. In fiscal year 2006, there were 5,503. In fiscal year 2014, there were 67,168 -- as illustrated by this graph:

Not all of those involve hacks or breaches -- but the number of security incidents reported involving personal information has more than doubled from 10,481 in fiscal year 2009 to 27,624 in fiscal year 2014, according to GAO.

And the private sector, too, has been struggling to respond to a wave of cyberattacks that hit retailers and health insurers in recent years.

But even before the latest OPM hacks, the U.S. government was being battered by breaches. A hack at the National Oceanic and Atmospheric Administration weather network forced cybersecurity teams to seal off data important for disaster planning and aviation uses last fall. The White House and State Department also suffered breaches in their non-classified e-mail systems within the last year.