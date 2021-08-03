The findings, which were largely culled from reporting by the agencies’ own internal watchdogs, come after a series of government mega-breaches during the past decade that have exposed reams of data about federal employees and government operations to U.S. adversaries.
They paint a picture of a government that, despite years of warning shots, is ill-prepared to withstand hacks from Russia, China and elsewhere.
“It is clear that the data entrusted to these eight key agencies remains at risk,” the report states. “As hackers, both state-sponsored and otherwise, become increasingly sophisticated and persistent, Congress and the executive branch cannot continue to allow [personally identifiable information] and national security secrets to remain vulnerable.”
The evaluation includes a report card for agencies’ cybersecurity, which was adapted from numerical scores given by agency inspectors general. It is riddled with C's and D's.
“This is not a report card I would ever want to take home to my parents,” a Homeland Security Committee aide told reporters during a preview.
The 2019 report was produced by Sen. Rob Portman (R-Ohio) when he chaired the committee’s investigations panel, along with that panel’s top Democrat, Sen. Thomas R. Carper of Delaware. Portman, who is now the committee’s top Republican, spearheaded today’s update with committee Chairman Sen. Gary Peters (D-Mich.).
Portman and Peters are planning to introduce legislation before the end of 2022 to address many of the problems, including a rewrite of the main law covering government cybersecurity, the Federal Information Security Management Act, an aide said.
The report is chock full of disturbing anecdotes.
- During a hacking exercise, investigators were able to access hundreds of documents containing people’s personal information from the Department of Education, including 200 credit card numbers. The department’s IT staff didn’t block them or even notice.
- The Social Security Administration wasn’t sufficiently protecting people’s personal information and still hadn’t implemented computer security requirements that were mandated in 2015.
- There were thousands of instances in which State Department employees had left the agency for substantial periods of time but the department hadn’t deactivated their digital accounts – some of which had access to classified information. Those active but unmonitored accounts can be a gold mine for hackers trying to gain secret access to computer systems and information.
- The Transportation Department inspector general found nearly 15,000 IT devices, including more than 7,000 phones, that were being used by employees and contractors for which the department had no record.
The report also identified countless basic cybersecurity problems such as agencies failing to encrypt data, not requiring employees to verify their identity in multiple ways when they access sensitive accounts, and not blocking employees from accessing data they have no use for.
Seven of the agencies were also using technology systems so old that the company that built them was no longer maintaining them by patching cybersecurity bugs.
Most of the problems highlighted in the report reflect decades-long problems for government cybersecurity.
The government has struggled for years to replace outdated and unsecured technology. Cybersecurity leaders have also wrangled with an unyielding bureaucracy that makes it exceptionally difficult to impose standard security requirements across government.
The chances for government coordination on cybersecurity improved, however, with the creation of CISA in 2018 and the creation of a national cyber director role at the White House this year.
The report recommends increasing CISA’s authority to make government-wide cyber decisions and requiring agencies to notify CISA about certain breaches and other cyber incidents.
Investigators found more people who were targeted with NSO Group’s Pegasus spyware.
French authorities found signs of Pegasus on three French journalists’ devices, the Guardian’s Kim Willsher reports. It’s the first independent confirmation of such an infection by government authorities following an investigation by The Washington Post and 16 media partners into Pegasus’s alleged misuse by NSO’s government clients.
French authorities have sent their findings to the Paris public prosecutor’s office, which is investigating hacking allegations.
A new forensic investigation shows that a supporter of a princess who fled Dubai to escape from her father, Sheikh Mohammed bin Rashid al-Maktoum, was infected by the spyware as well, Drew Harwell and Dan Sabbagh report. An activist in the United Kingdom and journalists in Hungary and Turkey were also infected by Pegasus, according to new forensic examinations.
The national cyber director is stumping for a Bureau of Cyber Statistics.
A centralized cyber data hub would help the U.S. government assess cyber risk and find solutions to thorny problems, according to national cyber director Chris Inglis. Inglis previously served as a commissioner on the Cyberspace Solarium Commission, which recommended such a bureau. Creating a bureau would require an act of Congress.
“While the White House does not yet have an official policy on this — we’re still working our way through consideration — I think all would agree that in the absence of this information, we are going to be episodic, we are going to be uneven, and perhaps less than optimal in our response” to cyberthreats, Inglis said during an event at the Atlantic Council.
Lawmakers gave Inglis a boost this week by including $21 million for his office in a bipartisan infrastructure deal. “As we strengthen our networks against global cyberthreats and ransomware criminals, we must ensure that Director Inglis has the resources to implement a comprehensive plan to protect our society, economy and nation from those seeking to do us harm,” said Sen. Angus King (I-Maine), a co-chair of the Solarium Commission.
Maricopa County and election machine maker Dominion refused to comply with subpoenas for additional election materials for a partisan audit.
The demand for routers and other election materials came after the county already was forced to turn over voting machines from the 2020 contest. In a note to state Senate officials that ordered the audit, County Board of Supervisors Chairman Jack Sellers (R) said the board had “little time to entertain this adventure in never-never land,” Rosalind S. Helderman reports.
“It’s time for all elected officials to tell the truth and stop encouraging conspiracies,” Sellers wrote. “Release your report and be prepared to defend any accusations of misdeeds in court. It’s time to move on.”
Dominion separately wrote that the subpoena is “invalid and unenforceable.” The company has filed defamation lawsuits against allies of Donald Trump who have promoted false claims that Dominion voting machines were rigged to switch votes from Trump to Joe Biden.
