Thursday, August 5, 2021

Federal Cybersecurity: America's Data Still at Risk

"In June 2019, the Permanent Subcommittee on Investigations (Subcommittee) issued a bipartisan report titled: Federal Cybersecurity: America’s Data at Risk (the 2019 Report). That report highlighted systemic failures of eight key Federal agencies to comply with Federal cybersecurity
standards identified by agencies’ inspectors general. The 2019 Report documented how none of  these eight agencies met basic cybersecurity standards and protocols, including properly  protecting Americans’ personally identifiable information (PII); maintaining a list of the
equipment and programs on agency networks; and promptly installing security patches to remediate vulnerabilities that hackers could exploit. The 2019 Report also highlighted that all eight agencies were operating legacy computer systems, which are costly to maintain and difficult to secure. Based on those findings, the Subcommittee determined that these eight
Federal agencies were failing to protect the sensitive data they stored and maintained. 

 
This report revisits those same eight agencies two years later. What this report finds is stark. Inspectors general identified many of the same issues that have plagued Federal agencies for more than a decade. Seven agencies made minimal improvements, and only DHS managed to
employ an effective cybersecurity regime for 2020. As such, this report finds that these seven Federal agencies still have not met the basic cybersecurity standards necessary to protect America’s sensitive data.
* * * * * * * * * * *
The current state of cyber espionage. In the past two years, state-sponsored hackers have perpetrated some of the largest and most damaging cyber-attacks in our history. In December
2020, we learned that the Russian Foreign Intelligence Service used a sophisticated supply chain vulnerability to corrupt a security patch for SolarWinds network management software. This allowed hackers to infiltrate nine Federal agencies, including DHS, State, Energy, and Treasury. Russia’s cyber-spies remained undetected in those Federal agencies’ systems for at least nine months. The Federal Government only became aware of the attack after it was discovered by a private cybersecurity firm, FireEye, which was also breached. The Federal Government is still working to understand exactly what information and data Russia accessed during those nine months..."
Federal Cybersecurity 

No comments: