Audit: OPM, other agencies, weak on IT security of high-impact systems

Four federal agencies, including the Office of Personnel Management, that use ‘high-impact’ information systems have failed to secure them properly, leaving them at greater risk of penetration by hackers or cyberspies, congressional auditors found.

‘Until the selected agencies address weaknesses in access and other controls … the sensitive data maintained on selected systems will be at increased risk of unauthorized access, modification, and disclosure, and the systems at risk of disruption,’ concluded the Government Accountability Office in a report finished last month but only made public Tuesday.

The findings come in response to lawmakers’ concerns about the security of federal ‘high-impact’ computer systems — those where the loss of the information they hold would cause ‘catastrophic harm’ to individuals, the government or the nation.

The findings are based on research done between February last year and May 2016, meaning that much of it post-dates the so-called cyber sprint, designed to shore up the cybersecurity of key IT assets.

OPM, the agency which suffered a massive hack by suspected Chinese cyberspies that exposed the personal data of more than 20 million current and former federal employees and applicants for a U.S. security clearance, complained in its response that auditors had withheld details of some of the security weaknesses they discovered and the agency therefore was contesting one of their recommendations.

Auditors surveyed all 24 CFO Act agencies, but only 18 of them operate high-impact information systems. All 18 reported that they were under more or less constant attack, and that the most serious and numerous attempts came from nation-state attackers.

Phishing and spear-phishing email attacks, using both malicious attachments and malicious links; credentials-based attacks like password reuse, guessing and brute-force; the exploitation of trusted third-party relationships; and SQL injection were ‘the most serious attack methods in terms of affecting their high-impact systems,’ the agencies reported, according to GAO.

Auditors looked in detail at four agencies — NASA, the Nuclear Regulatory Commission, OPM and the Department of Veterans Affairs — and eight high-impact systems they operate. All the agencies had taken some security measures in relation to their high-impact systems; for example, all had ‘developed a risk assessment for their selected high-risk systems.’

But there were weaknesses, too, especially in regard to access controls. ‘These control weaknesses included those protecting system boundaries, identifying and authenticating users, authorizing access needed to perform job duties, and auditing and monitoring system activities,’ as well as systematic patching of known software vulnerabilities, the report said.