Of eight federal agencies audited for their cybersecurity programs, only the Department of Homeland Security showed improvements in 2020, according to a report from the Senate Homeland Security and Governmental Affairs Committee.
Released by the panel on Tuesday, the report expresses concerns about the state of federal agencies’ cyber posture during an overall 8% rise in security incidents across agencies.
The report underscores the increased scrutiny of federal cybersecurity by lawmakers in the aftermath of a months-long alleged Russian cyber-espionage campaign the private sector first uncovered in December 2020. Russian hackers used a flaw in network management software SolarWinds to infiltrate nine government agencies.
The report found that seven of the eight agencies reviewed still use legacy systems that no longer have security updates supported by their vendor. The practice can leave agencies vulnerable to foreign hacking, the report notes.
“It is clear that the data entrusted to these eight key agencies remain at risk,” the report states. “As hackers, both state-sponsored and otherwise, become increasingly sophisticated and persistent, Congress and the executive branch cannot continue to allow [personally identifiable information] and national security secrets to remain vulnerable.”
The report culls from 2020 inspector general reports for the Departments of Homeland Security, State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services, Education and the Social Security Administration.
Among the specific agency findings the report highlights are that the State Department could not provide documentation for 60% of the employees sampled that had access to its classified networks. The Department of Education’s inspector general found in a test that it was able to steal hundreds of files of personal information from the agency, including credit card numbers, without the agency blocking it.
The report calls for Congress to update the 2014 Federal Information Security Modernization Act to require federal agencies to notify DHS’s Cybersecurity and Infrastructure Security Agency of cyber incidents and to formalize the agency’s role of leading federal cybersecurity operations. The report also recommends an expansion of CISA’s offerings to federal agencies and for the agency to produce a plan to update its intrusion detections system, EINSTEIN.
The committee recommends a primary office to coordinate with agencies for a federal-government-wide cybersecurity strategy. National Cyber Director Chris Inglis, who recently took the helm of the newly created office, says he is working on coordinating such an approach. President Biden in May signed an executive order setting a number of benchmarks to improve federal cybersecurity.