U.S. Cybersecurity Infrastructure Is Weak, According to Senate Report

An August 2021 report released by the Senate Committee on Homeland Security and Governmental Affairs found that out of the eight agencies audited, only the Department of Homeland Security showed improvements in its cybersecurity program since a 2019 Senate report which “highlighted systemic failures of eight key federal agencies to comply with federal cybersecurity standards.”

The number of information security incidents has risen 8 percent across all agencies from 2019 to 2020, according to the new report. With cyber security breaches and incidents on the rise, the report highlights the importance of bolstering U.S. cyber infrastructure to be strong in the face of an attack.

Lawmakers have been evaluating federal cybersecurity with increased scrutiny since Russian hackers were able to commit cyber-espionage in the SolarWinds hack, which infiltrated nine federal agencies and was previously reported in FEDagent.

The report reviews information from the inspectors general of the Departments of Homeland Security, State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services, and Education, and the Social Security Administration. Seven of the eight agencies reviewed in the report still use legacy systems no longer supported by their vendors with security updates, making them more susceptible to future attacks.

The report states, “As hackers, both state-sponsored and otherwise, become increasingly sophisticated and persistent, Congress and the executive branch cannot continue to allow [personally identifiable information] and national security secrets to remain vulnerable.”

Furthermore, the report highlights a number of cyber security vulnerabilities that are agency specific. For instance, in a test, the Department of Education Inspector General found that it was able to steal hundreds of files of personal information without being detected or blocked.

Several lawmakers have also highlighted the importance of building cybersecurity infrastructure in the federal government. At a June 17, 2021 Homeland Security and Governmental Affairs Subcommittee on Emerging Threats and Spending Oversight hearing, Addressing Emerging Cybersecurity Threats to State and Local Government, Committee Chairwoman Margaret Hassan (D-NH) explained, “The cybersecurity firm Emsisoft estimated that the total cost of publicly known ransomware attacks on state and local governments in 2020, including costs to restore functionality and services, was nearly one billion dollars.”

The report offers a number of recommendations to improve the cyber security infrastructure of the federal government. For example, the report calls for Congress to update the 2014 Federal Information Security Modernization Act to require federal agencies to notify DHS’s Cybersecurity and Infrastructure Security Agency (CISA) of cyber incidents. It also recommends an expansion of CISA’s tools and resources to federal agencies and enhancing CISA’s cyber intrusion detection system, EINSTEIN.

Finally, the report recommends a primary office to coordinate with agencies for a federal-government-wide cybersecurity strategy.