View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 5, 2021updated 12 Jul 2022 5:37am

US government cyber defences remain inadequate but improving them is no easy task

Data on citizens held by many US government departments remains at risk, a new report has found. Solving this problem could be a challenge.

By Claudia Glover

A new report has criticised the US government’s cybersecurity defences, stating that most key government departments have not improved the way they protect citizens’ personal data since a previous and equally damning audit was carried out two years ago. President Biden has pledged to take action on cybersecurity, but this may be easier said than done, as big structural changes could be required if the government is to improve its defences against hacking gangs.

US government cyber security

A senate report has criticised US government cybersecurity arrangements. (Photo by Golden Brown/Shutterstock)

The report from the US senate’s committee on homeland security and governmental affairs takes the US government and eight of its key departments to task for a lack of adequate cyber protection, with all eight found to use legacy systems or applications no longer supported with security updates, “resulting in cyber vulnerabilities for the system or application”. The departments were issued with grades for their security measures; four received D grades, three gained Cs and only one – the Department of Homeland Security, which oversees the nation’s cybersecurity and infrastructure security agency (CISA), obtained a B.

During a test of the Department of Education’s security, investigators were able to extract hundreds of sensitive personal information files, including 200 credit card numbers, without the agency blocking or detecting the breach, the report reveals. The report highlights other problematic areas, and states “it is clear that the data entrusted to these eight key agencies remains at risk”. The authors add: “As hackers, both state-sponsored and otherwise, become increasingly sophisticated and persistent, congress and the executive branch cannot continue to allow personally identifiable information and national security secrets to remain vulnerable.”

The report compares this lack of progress to the last audit in 2019, which was equally damning. “In 2019 the Subcommittee reported the failures of eight federal agencies to comply with basic cybersecurity standards,” it says. “Two years later, seven agencies still fail at effectively securing data,” with only the Department for Homeland Security having significantly improved.

Can you fix US government cybersecurity?

Repairing the failures highlighted in the 2019 report was always likely to take more than two years according to Greg Austin, senior fellow for cyberspace and future conflict at the International Institute for Strategic Studies think tank. “People might think it’s easy enough to organise a cybersecurity arrangement to improve your technology and improve the training of your people,” he says. “But it’s a very long process, a process that takes a decade or two, not one or two years.”

What’s more, keeping defences up-to-date is not an easy task in the face of sustained attacks from threat actors. “Criminals and foreign governments are working more quickly with strategies to make successful attacks and the defenders can’t keep up with them,” Austin says. “So it’s really in the nature of things rather than necessarily a failing of the government.”

The root cause of these cyber failings is likely to be a “lack of investment in IT security in government departments and a lack of understanding of the way in which social influences affect security,” Austin adds.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

What is President Biden doing about US government cybersecurity?

Cybersecurity has been high on the agenda for President Biden in the wake of a string of high-profile breaches such as the Colonial Pipeline and Kaseya ransomware attacks. In May the president signed an executive order committing to bolstering US cyber defences, which included pledges to “modernise and implement stronger cybersecurity standard in the federal government” and “improve detection of cybersecurity incidents on federal government networks”. 

Such pronouncements are not unusual. “The president of the United States has declared a national emergency in cyberspace every year since 2016,” Austin says. “So this problem has been with us for ten to 15 years, and it can’t be easily fixed.”

Austin argues nothing short of a serious overhaul of US government cyber defences will make a significant difference. “If you want better cybersecurity in government, what you really need is a revolution in how we organise cybersecurity in government,” he adds.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.