U.S. Government Computers Still Not Safe From Cyber Attacks

Feds failing to safeguard U.S. networks, secrets

February 21, 2017

U.S. government computer systems remain unsecured and vulnerable to cyber attacks from a host of bad actors, according to a new government report that identifies a range of weaknesses in U.S. cyber defenses that could lead to a devastating attack on the American government.

Those in charge of the federal computer networks have failed to address major vulnerabilities for at least the past decade, according to the Government Accountability Office, which disclosed in a recent report that critical networks are "riddled with security vulnerabilities" and open to attack.

Investigators "consistently identified shortcomings in the federal government's approach to ensuring the security of federal information systems and cyber critical infrastructure as well as its approach to protecting the privacy of personally identifiable information (PII)," according to the report, which discloses that out of 2,500 exposed weaknesses, the federal government has failed to address more than 1,000.

The failure to secure these networks leaves the United States vulnerable to lethal cyber attacks on U.S. financial services, national infrastructure, and inter-government communications, according to the report.

These outstanding problems have long been known, but the government, including the Department of Homeland Security, has failed to take appropriate action.

"Over the past several years, GAO has made about 2,500 recommendations to federal agencies to enhance their information security programs and controls," according to the report. "As of February 2017, about 1,000 recommendations had not been implemented."

Critical cyber issues were first made known to the federal government in 1997, the report notes.

Still, these networks remain unsecured in many instances and at risk for attack.

"Federal information systems and networks are inherently at risk," according to the report. "They are highly complex and dynamic, technologically diverse, and often geographically dispersed. This complexity increases the difficulty in identifying, managing, and protecting the myriad of operating systems, applications, and devices comprising the systems and networks."

The risk is exacerbated due to longstanding issues with security that has left the federal network "riddled with security vulnerabilities." The problems extend to all federal agencies, according to the report.

"Systems used by federal agencies are often riddled with security vulnerabilities—both known and unknown," the report states.

A national database of known vulnerabilities includes 82,384 entries as of February 2016, "with more being added each day." It is impossible to calculate the number of unknown vulnerabilities lurking in these systems.

The number of cyber attacks and potential intrusions has been growing each year, according to the report, which notes that "until fiscal year 2016, the number of information security incidents reported by federal agencies to the Department of Homeland Security's (DHS) U.S. Computer Emergency Readiness Team (US-CERT) had steadily increased each year."

Between 2006 and 2015, the number of reported security breaches grew from 5,503 to 77,183, which accounts for a 1,303 percent increase, according to the report.

Potential risks include infiltration of the U.S. financial system that could lead to stolen money, unauthorized entry to sensitive networks, and attacks across a wide array of interconnected computers. Sensitive data such as taxpayer information, Social security records, medical data, and national security information also could be at risk.

Other risks include espionage and the disruption of "critical operations, such as those supporting national defense and emergency services," according to the report.

Reported breaches significantly decreased by 56 percent in 2016, but not necessarily because the security architecture had improved.

"The decrease in reported incidents for fiscal year 2016 was likely due to revised incident reporting requirements that no longer require agencies to report non-cyber incidents or attempted scans or probes of agency networks," according to one DHS official who spoke to government investigators about the situation.

The GAO is recommending wide-ranging improvements meant to counter known threats and safeguard against future cyber attacks.

"The security over these systems is inconsistent and additional actions are needed to address ongoing cybersecurity and privacy challenges," according to the report.

The U.S. government should "fully implement" an organization-wide security crackdown to protect against future breaches, according to the report.

Additionally, "efforts to bolster the cybersecurity of the nation's critical infrastructure [must] be strengthened."

Published under: Cyber Security