Report: 4 in 10 Government Security Breaches Go Undetected

DHS, DOJ, DOD, EPA, NASA, Energy, State routinely hacked

DHS cyber security analysts / AP
DHS cyber security analysts / AP
February 5, 2014

A new report by Sen. Tom Coburn (R., Okla.) details widespread cybersecurity breaches in the federal government, despite billions in spending to secure the nation’s most sensitive information.

The report, released on Tuesday, found that approximately 40 percent of breaches go undetected, and highlighted "serious vulnerabilities in the government’s efforts to protect its own civilian computers and networks."

"In the past few years, we have seen significant breaches in cybersecurity which could affect critical U.S. infrastructure," the report said. "Data on the nation’s weakest dams, including those which could kill Americans if they failed, were stolen by a malicious intruder. Nuclear plants’ confidential cybersecurity plans have been left unprotected. Blueprints for the technology undergirding the New York Stock Exchange were exposed to hackers."

Nearly every agency has been attacked, including the Departments of Homeland Security, Justice, Defense, State, Labor, Energy, and Commerce. NASA, the EPA, the FDA, the U.S. Copyright Office, and the National Weather Service have also been hacked or had personal information stolen.

In one example, hackers breached the national Emergency Broadcast System in February 2013 to broadcast "zombie attack warnings" in several midwestern states.

"Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living," the message said. "Do not attempt to approach or apprehend these bodies as they are considered extremely dangerous."

"These are just hacks whose details became known to the public, often because the hackers themselves announced their exploits," the report said. "Largely invisible to the public and policymakers are over 48,000 other cyber ‘incidents’ involving government systems which agencies detected and reported to DHS in FY 2012."

Even worse, nearly four in 10 intrusions into major civilian agencies go undetected, according to the report.

"Weaknesses in the federal government’s own cybersecurity have put at risk the electrical grid, our financial markets, our emergency response systems, and our citizens’ personal information," Coburn, ranking member of the Homeland Security and Governmental Affairs Committee, said in a statement. "While politicians like to propose complex new regulations, massive new programs, and billions in new spending to improve cybersecurity, there are very basic—and critically important—precautions that could protect our infrastructure and our citizens’ private information that we simply aren’t doing."

The report places much of the blame on basic "lapses by the federal government," including failures to address routine security, such as changing passwords and installing anti-virus software.

Based on more than 40 audits by agency watchdogs, the report takes a closer look at the worst offenders, including the departments of Homeland Security, Energy, Education, the Securities and Exchange Commission, and the IRS.

Each year the Government Accountability Office (GAO) identifies roughly 100 cybersecurity weaknesses within the IRS, whose computers "hold more sensitive data on more Americans than those of perhaps any other federal component."

IRS computers had over 7,000 "potential vulnerabilities" as of March 2012, due to the failure to install "critical" security software, a problem the agency said would be fixed within 72 hours. Instead, it took an average of 55 days to install the patches.

Vulnerabilities at the agency leave vast amounts of personal information at risk, since the IRS collects Americans’ "credit card transactions, eBay activities, Facebook posts, and other online behavior," according to the report.

DHS, which was put in charge of government cybersecurity in July 2010, also has hundreds of security flaws, including "failures to update basic software like Microsoft applications, Adobe Acrobat, and Java, the sort of basic security measure just about any American with a computer has performed."

Only 72 percent of DHS Internet traffic passes through Trusted Internet Connections (TICs), and the agency has failed to install security patches on servers that contain intelligence from the U.S. Secret Service.

The Nuclear Regulatory Commission, which contains volumes of information on the nation’s nuclear facilities, "regularly experiences unauthorized disclosures of sensitive information," according to the report.

The agency has "no official process for reporting" breaches, cannot keep track of how many laptops it has, and kept information on its own cybersecurity programs, and its commissioner’s "passport photo, credit card image, home address, and phone number," on an unsecure shared drive.

The Department of Education is also a concern since it manages $948 billion in student loans made to more than 30 million borrowers. The agency’s computers contain "volumes of information on those borrowers," including loan applications, credit checks, and repayment records.

The department’s Federal Student Aid (FSA) office reported 819 compromised accounts in 2011 and 2012, and the agency only reviewed 17 percent of those accounts to determine if malicious activity occurred.

The report notes that federal efforts have failed to improve the government’s cybersecurity. The Federal Information Security Management Act of 2002 requires agencies to implement security safeguards, and the government has spent $65 billion on IT security since 2006, though breaches remain widespread.

"More than a decade ago, Congress passed a law making the White House responsible for securing agency systems," Coburn said. "It’s still not happening."

"They need to step up to the job, and Congress needs to hold the White House and its agencies accountable," he said.