As some push radical, privacy-invasive ‘cybersecurity’ policies, US agencies fail to take basic preventative measures http://t.co/N2QdVoGquS
— Trevor Timm (@trevortimm) February 4, 2014
U.S. officials have warned for years that the prospect of a cyberattack is the top threat to the nation and have sharply increased spending for computer security. Yet the report by the Republican staff of the Senate Homeland Security and Governmental Affairs Committee says that federal agencies are ill-prepared to defend networks against even modestly skilled hackers.
The report draws on previous work by agency inspectors general and the Government Accountability Office to paint a broader picture of chronic dysfunction, citing repeated failures by federal officials to perform the unglamorous work of information security. That includes installing security patches, updating anti-virus software, communicating on secure networks and requiring strong passwords. A common password on federal systems, the report found, is “password.”
The report levels particularly tough criticism at the Department of Homeland Security, which helps oversee cybersecurity at other federal agencies. The report concluded that the department had failed even to update essential software — “the basic security measure just about any American with a computer has performed.”
The bogus zombie alert last year, which was carried by television stations in Michigan, Montana and New Mexico, highlighted flaws in the oversight of the Emergency Alert System, which is mandated by the Federal Communications Commission and managed by the Federal Emergency Management Agency.
Hackers discovered that some television stations had connected their alert-system equipment to the Internet without installing a firewall or changing the default password, as the company’s guide instructed, said Ed Czarnecki, an official with Monroe Electronics, which manufactured the equipment that was breached. He said those mistakes in elementary network security might have been prevented with more instruction from the government.
“Neither the FCC nor FEMA had issued clear guidelines on how to secure this gear,” said Czarnecki said.
Though the incident was seen as a prank, it highlighted weaknesses that could have been dangerous if hackers had broadcast misinformation during an actual emergency or terrorist attack, experts said. Monroe Electronics and the FCC have worked with affected stations to prevent a recurrence, they said.
Other problems identified in the Senate report:
- In every year since 2008, the GAO has found roughly 100 weaknesses in the computer security practices of the Internal Revenue Service, which took an average of 55 days to patch critical system flaws once they were identified. It is supposed to take only three days to do so.
- Hackers have cracked the systems of the Energy Department, gaining access to the personal information of 104,000 past and present department employees.
- The Nuclear Regulatory Commission, which keeps data on the design and security of every nuclear reactor and waste facility in the country, “regularly experiences unauthorized disclosures of sensitive information.” An agency spokeswoman issued a statement saying it “takes information security very seriously and works continuously toward improvements.”
- And at the Securities and Exchange Commission, laptops containing sensitive information were not encrypted and staffers sometimes transmitted private information about financial institutions on personal e-mail accounts. On at least one occasion, an SEC staffer logged onto an unsecured WiFi network at a convention of computer hackers.