A new report has criticised the US government’s cybersecurity defences, stating that most key government departments have not improved the way they protect citizens’ personal data since a previous and equally damning audit was carried out two years ago. President Biden has pledged to take action on cybersecurity, but this may be easier said than done, as big structural changes could be required if the government is to improve its defences against hacking gangs.
The report from the US senate’s committee on homeland security and governmental affairs takes the US government and eight of its key departments to task for a lack of adequate cyber protection, with all eight found to use legacy systems or applications no longer supported with security updates, “resulting in cyber vulnerabilities for the system or application”. The departments were issued with grades for their security measures; four received D grades, three gained Cs and only one – the Department of Homeland Security, which oversees the nation’s cybersecurity and infrastructure security agency (CISA), obtained a B.
During a test of the Department of Education’s security, investigators were able to extract hundreds of sensitive personal information files, including 200 credit card numbers, without the agency blocking or detecting the breach, the report reveals. The report highlights other problematic areas, and states “it is clear that the data entrusted to these eight key agencies remains at risk”. The authors add: “As hackers, both state-sponsored and otherwise, become increasingly sophisticated and persistent, congress and the executive branch cannot continue to allow personally identifiable information and national security secrets to remain vulnerable.”
The report compares this lack of progress to the last audit in 2019, which was equally damning. “In 2019 the Subcommittee reported the failures of eight federal agencies to comply with basic cybersecurity standards,” it says. “Two years later, seven agencies still fail at effectively securing data,” with only the Department for Homeland Security having significantly improved.
Can you fix US government cybersecurity?
Repairing the failures highlighted in the 2019 report was always likely to take more than two years according to Greg Austin, senior fellow for cyberspace and future conflict at the International Institute for Strategic Studies think tank. “People might think it’s easy enough to organise a cybersecurity arrangement to improve your technology and improve the training of your people,” he says. “But it’s a very long process, a process that takes a decade or two, not one or two years.”
What’s more, keeping defences up-to-date is not an easy task in the face of sustained attacks from threat actors. “Criminals and foreign governments are working more quickly with strategies to make successful attacks and the defenders can’t keep up with them,” Austin says. “So it’s really in the nature of things rather than necessarily a failing of the government.”
The root cause of these cyber failings is likely to be a “lack of investment in IT security in government departments and a lack of understanding of the way in which social influences affect security,” Austin adds.
What is President Biden doing about US government cybersecurity?
Cybersecurity has been high on the agenda for President Biden in the wake of a string of high-profile breaches such as the Colonial Pipeline and Kaseya ransomware attacks. In May the president signed an executive order committing to bolstering US cyber defences, which included pledges to “modernise and implement stronger cybersecurity standard in the federal government” and “improve detection of cybersecurity incidents on federal government networks”.
Such pronouncements are not unusual. “The president of the United States has declared a national emergency in cyberspace every year since 2016,” Austin says. “So this problem has been with us for ten to 15 years, and it can’t be easily fixed.”
Austin argues nothing short of a serious overhaul of US government cyber defences will make a significant difference. “If you want better cybersecurity in government, what you really need is a revolution in how we organise cybersecurity in government,” he adds.
