In June of this year, the Senate Permanent Subcommittee on Investigations published a 99-page report titled Federal Cybersecurity: America’s Data at Risk. The committee, chaired by Senators Rob Portman of Ohio and Tom Carper of West Virginia, revealed some (theoretically) shocking discoveries about lax protections of citizen data in seven federal agencies, including the Department of Transportation, DHS, the Department of Education and the Social Security Administration. The report was the result of a review of 10 years of Inspector General reports.
The report reviews a wide range of alarming security deficiencies. Problems include reliance on outdated, unsupported systems, failure to apply mandatory security patches, neglecting to keep track of hardware and software and more. The report also highlights an increase in cyber incidents, which jumped from 5,500 in 2006 to 77,000 in 2015. (The number dropped to 35,277 cyber incidents in 2017, but this reflects a change in definitions, rather than a decline in hacking activity.)
Examples of security weaknesses include use of unsupported Windows XP and Windows Server 2003 at DHS and decades-old legacy systems at the Transportation Department and the social Security Administration. These agencies store personal information about American citizens and sensitive government data on these vulnerable systems.
Understanding the (non) Reaction to the Report
The report received widespread media coverage when it was published. After a few days, the story went away. There were some scattered comments from the industry, but not much.
Why was the reaction to this seemingly important story so muted? A number of possible explanations emerge. For one thing, the report was not really a surprise to anyone who has been following cybersecurity. The revelation that major government agencies are not keeping up with security duties is not news.
“You have to be a little bit of a wonk to really appreciate what this report is telling us.”
The story is also fairly dull, in today’s media climate. Compared to the daily outrages and media stunts concocted by elected officials, a 99-page rundown on patch management problems is a bit of a snooze.
According to Katherine Gronberg, VP for Government Affairs at Forescout, which makes a unified device visibility and control platform, the story didn’t catch on because it is actually a compilation of other reports. “You have to be a little bit of a wonk to really appreciate what this report is telling us,” she said.
Additionally, the public has not experienced many consequences from these cyber vulnerabilities either. While a lot of private citizen data has been stolen in publicly-known breaches, these thefts have not translated into crimes of fraud or identity theft on a large scale. There has been little public outcry, and therefore political interest, in the problem, because Americans have not been affected by it.
The public isn’t reacting much to the breaches because the China is apparently the hacker, and they’re not doing much with the data, it seems. They’re stealing American citizens’ private data for its own reasons, which are poorly understood. An interesting article in the Wall Street Journal speaks to this issue. In What Does Beijing Want With Your Medical Records?, reporters Christopher Porter and Brian Finch suggest, “China is gathering the pieces needed to create in the U.S. a version of its omnipresent surveillance state.” When we do discover what China has wanted with all of our data, we probably won’t be happy about it.
What’s Happening, and What Can Be Done Better
The report may also have failed to garner much attention, at least within government circles, because people who understand federal cybersecurity know that the agencies in questions are trying to deal with the problem. They are deficient, but not negligent. So, it’s not a scandal.
“I think it’s important to get beyond the cheap scoop aspect of this report,” said Gronberg. “It raises some profound issues, but people at the agencies are making efforts. Legislation has been passed. There are parties responsible for its implementation and oversight. This report itself is an example of the oversight and accountability built into the regulations.”
“I think it’s important to get beyond the cheap scoop aspect of this report,” said Gronberg. “It raises some profound issues, but people at the agencies are making efforts.”
As Gronberg sees it, government agencies are moving in the right direction, but making slow progress. She cited, for example, the report’s recommendation for agencies to make more use of the DHS-created Continuous Diagnostics and Mitigation (CDM) program. CDM, which was commissioned by Congress, offers a dynamic approach to fortifying the cybersecurity of government networks and systems. It provides federal departments and agencies with capabilities and tools to conduct automated, on-going assessments.
“CDM is a great program, especially for agencies that are not getting good FISMA scores,” Gronberg noted. “Though it’s been criticized for moving too slowly, I think anyone in the space would agree that it is still significantly improving the cyber hygiene of federal civilian agencies.” She felt that CDM is budget-constrained, with the potential to move faster if it had more funding and oversight. Better incentives for improving security would also help, she added.
“CDM is a great program, especially for agencies that are not getting good FISMA scores,” Gronberg noted.
Gronberg also pointed out the costs involved in updating the legacy systems cited in the report. “Anyone who has lived through a legacy migration project at a federal agency knows that they tend to be slow, stressful and extremely expensive.” The same is true in the private sector. Gronberg further noted that the government is trying to catch up with the proliferation of IoT devices and the security issues they create. This is a difficult problem to solve quickly.
In Gronberg’s view, no new laws are needed to remedy the deficiencies highlighted in the report. “We have the tools already in government. We just need to use them more rigorously,” she said. “We need more continuous diagnostics and thorough use of FISMA to create better cyber postures in all agencies.”
She also noted that, while the report discussed vulnerabilities, it did not state that these vulnerabilities were exploited. Of course, it is highly likely that the agencies have been breached given their out-of-date, unpatched systems and deficient countermeasures. It is impossible to know the reality at this point.