Clueless federal government's cybersecurity is like one giant hack-me cluster flub

If you use ‘password,’ one the worst passwords, as your password, fail to keep antivirus protection updated and don’t bother to deploy security patches to close critical vulnerabilities, then maybe you should consider working for the cybersecurity-clueless federal government; you’d fit right in.

Poor cybersecurity practices of the federal government

When Senator Tom Coburn MD released “The Federal Government's Track Record on Cybersecurity and Critical Infrastructure” report, he said, “Weaknesses in the federal government’s own cybersecurity have put at risk the electrical grid, our financial markets, our emergency response systems and our citizens’ personal information.”

Hackers have penetrated, taken control of, caused damage to and/or stolen sensitive personal and official information from computer systems at the Departments of Homeland Security, Justice, Defense, State, Labor, Energy, and Commerce ; NASA; the Environmental Protection Agency; the Office of Personnel Management; the Federal Reserve; the Commodity Futures Trading Commission; the Food and Drug Administration; the U.S. Copyright Office; and the National Weather Service. 

Those are the hacks we know about, because the hackers went public, but there were “over 48,000 other cyber ‘incidents’ involving government systems” that were not headline news.  

Your tax dollars at work

The government has spent “at least $65 billion on securing its computers and networks” since 2006, but you wouldn’t know it by reading 19 pages of federal government cybersecurity ineptitude gathered from “over 40 audits, investigations and reviews.”

Department of Homeland Security

A decade after DHS was created, the agency was still plagued with cybersecurity and critical infrastructure problems. But Coburn’s report highlights one DHS cybersecurity cluster-flub after another.

The National Protection and Programs Directorate (NPPD), which oversees DHS cybersecurity programs, protects sensitive databases with “weak or default passwords.” But hey, that’s nothing, because NPPD also repeatedly fails to install software updates and critical security patches.

A few examples of unpatched vulnerabilities were discovered “on servers supporting U.S. Secret Service intelligence work; on computers supporting ICE Homeland Security Investigations’ Intelligence Fusion Systems, a powerful system allowing agents to query several sensitive databases; and on dozens of servers supporting TSA’s Transportation Worker Identification Credential (TWIC) program, which keeps biometric information and credentials for over two million longshoremen, truckers, port employees, mariners and others.”

There are exploitable holes, which could allow unauthorized access, in “public websites for CBP, FEMA, ICE and even NPPD, home of US-CERT.” If you “like” that, then you’ll “love” this irony:

Several vulnerabilities were found in the DHS website “Build Security In” (http://www.buildsecurityin.us-cert.gov). DHS developed the site to encourage software developers “to build security into software in every phase of its development.” 

12 of 14 computer servers controlling physical access to DHS facilities had not updated antivirus software since August 2011. Additionally, critical software patches had not been deployed on several servers.

When auditors physically inspected DHS offices, they found “passwords written down on desks, sensitive information left exposed, unlocked laptops, even credit card information. In the office of the Chief Information Officer for ICE, auditors found “10 passwords written down, 15 FOUO (For Official Use Only) documents left out, three keys, six unlocked laptops —even two credit cards left out.”

Nuclear Regulatory Commission

The NRC, which is in charge of the “design and security of every nuclear reactor, waste storage facility and uranium process facility” in the U.S., stored sensitive info for nuclear plants on an “unprotected shared drive, making them more vulnerable to hackers and cyberthieves.” So how often does this happen? NRC can’t tell us because there is no process to report such breaches. It should come as little surprise then to know the NCR can’t keep track of its computers.

But how can that be? There is such a cybersecurity “general sloppiness” and “perceived ineptitude of NRC technology experts” that “NRC offices have effectively gone rogue – by buying and deploying their own computers and networks without the knowledge or involvement of the department’s so-called IT experts. Such ‘shadow IT’ systems ‘can introduce security risks when unsupported hardware and software are not subject to the same security measures that are applied to supported technologies’.”

Internal Revenue Service

The IRS has more sensitive info on Americans than other federal agencies, including “personal information on Americans’ credit card transactions, eBay activities, Facebook posts and other online behavior.” Yet the IRS is “dangerously slow to install crucial software updates and patches.”

IRS employees must be so busy crunching numbers that they missed the million articles about terribly insecure common passwords. Instead many used ‘password,’ ‘qwerty,’ or easily guessed passwords like their names. Other IRS employees haven’t changed their passwords in nearly two years. The IRS practice of insecure and “lousy” passwords has been going on for six years. The report states, “As a result someone might gain unauthorized access to taxpayers’ personal information and it ‘would be virtually undetectable,’ potentially for years.”

Same sad cybersecurity song for other federal departments

Last year hackers broke into the national Emergency Broadcast System and broadcast an emergency zombie apocalypse warning on TV. After hackers exploited the National Institute of Standards and Technology (NIST) servers, “which host the federal government’s database of known software vulnerabilities,” the servers “had to be taken out of service for several days.” Also last year, “hackers gained access to U.S. Army Corps of Engineers computers and downloaded an entire non-public database of information about the nation’s 85,000 dams — including sensitive information about each dam’s condition, the potential for fatalities if breached, location and nearest city.”

The Department of Energy: Although We the People paid for a software upgrade, no one bothered to install it. The fact that the software hadn’t been updated in over two years has allowed several hacks, including last summer when hackers stole private information on over 104,000 past and previous Energy Department employees. The report goes on to detail poor cybersecurity practices like out-of-date patches; weak passwords, vulnerable web applications, and unprotected public-facing servers -- 11 of which had no or weak password protections. In fact, “one of the unprotected machines the OIG found was a payroll server, which was configured to allow remote access to anyone, without a username or password.”

It’s the same sad cybersecurity song for other federal departments. For example, the Department of Education, which "manages $948 billion in student loans made to more than 30 million borrowers" and all the data on those people, is also plagued with vulnerabilities ranging from weak passwords to unsecure networks.

The Securities and Exchange Commission network had “no firewall or intrusion protection software running” for at least several months. The report accused the SEC of “routinely exposed extremely sensitive data about the computer networks supporting the New York Stock Exchange, including NYSE’s cybersecurity measures. The information the SEC exposed reportedly could be extremely useful to a hacker or terrorist who wanted to penetrate the market’s defenses and attack its systems.”

President Obama ordered federal agencies to draw up plans to protect the “security of computers and networks which run the nation’s commercially-owned critical infrastructure,” but for the “country’s citizens and businesses to take the government’s effort seriously, the federal government should address the immediate danger posed by the insecurity of its own critical networks.”

Senator Coburn stated, “While politicians like to propose complex new regulations, massive new programs, and billions in new spending to improve cybersecurity, there are very basic – and critically important – precautions that could protect our infrastructure and our citizens’ private information that we simply aren’t doing.” 

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.