On 25th June 2019, a report was published by the Permanent Subcommittee on Investigations of the US Senate on the state of cybersecurity within eight key Federal Agencies.
This report has received little global coverage given the scale of the findings within its 95-pages.
The findings make for scary reading for the U.S. Government and all of its citizens that depend of the services provided by the eight federal agencies in the report.
The eight U.S. Federal Agencies in scope of this report are:
- The Department of Homeland Security
- The Department of State
- The Department of Transport
- The Department of Housing and Urban Development
- The Department of Agriculture
- The Department of Health and Human Services
- The Department of Education
- The Social Security Administration
The key findings of fact from a cyber security perspective are:
Unpatched vulnerabilities
Unpatched vulnerabilities are endemic within most of these Federal Agencies. Some have been there for up to 10 years.
Unsupported systems
A number of agencies are still dependant on systems like Windows 2003 and Windows XP, along with versions of PowerBuilder and Adobe Acrobat that are no longer in support and have long since been withdrawn from support and superseded by their vendors. Within the Department of Homeland Security, one of the entities still reliant on Windows Server 2003, is the Secret Service.
Legacy Systems
And when we say legacy, we mean legacy. A number of key systems across these agencies are over 20 years old, with a few over 30 years old.
The Social Security Administration is dependent on the Title II system which holds retirement and disability information on millions of Americans, which was introduced in 1985. Some of its 162 subsystems are written in COBOL.
These are all basic security controls that an SME would be expected to deliver.
Lack of process maturity
The auditors used a capability maturity model (on a scale of 1 – 5) to define the levels to which each Federal Agency was able to protect itself across five defined disciplines:
- Identify (Asset Management and Authorisation; Comprehensive Risk Management)
- Protect (Remove Access; Network Protection)
- Detect (Anti-Phishing capabilities; Malware Defence Capabilities; Exfiltration and Other Capabilities)
- Respond (Planning and Processes; Evaluation and Improvement)
- Recover (Planning and Testing; Personal Impact Process; Back-Up Capacity)
Across the eight Agencies, the average maturity score across each of the five disciplines was:
| Capability | Average Maturity |
|---|---|
| Identify | 2.375 |
| Protect | 2.375 |
| Detect | 2 |
| Respond | 2.5 |
| Recover | 2.375 |
The Department of State scored the lowest possible score (1) in both its ability to Identify and to Detect.
The average scores across the five disciplines for each Agency were as follows:
| Department | Average maturity across the five capabilities |
|---|---|
| Department of Homeland Security (DHS) | 3.4 |
| Department of State | 1.8 |
| Department of Transport | 2.0 |
| Housing and Urban Development (HUD) | 2.2 |
| Department of Agriculture (USDA) | 2.0 |
| Health and Human Service (HHS) | 2.4 |
| Department of Education (DoE) | 2.4 |
| Social Security Administration (SSA) | 2.4 |
These scores are truly awful. Let us put those scores into context with the annual IT budgets of those Departments, taken from information provided in the report.
| Department | Capability Maturity score | Annual IT Budget FY 2018 |
|---|---|---|
| DHS | 3.4 | $6.83B |
| State | 1.8 | $1.9B |
| Transport | 2.0 | $3.2B |
| HUD | 2.2 | $351M |
| USDA | 2.0 | $2.9B |
| HHS | 2.4 | $13.8B |
| Education | 2.4 | $745M |
| SSA | 2.4 | $1.7B |
Conclusion
The conclusion of the report is equally damming. In full, it states the following:
“Despite major data breaches like OPM, the federal government remains unprepared to confront the dynamic cyber threats of today. The longstanding cyber vulnerabilities consistently highlighted by Inspectors General illustrate the federal government’s failure to meet basic cybersecurity standards to protect sensitive data. The Subcommittee will continue to track federal agency cybersecurity to ensure agencies meet FISMA’s primary legislative objective to secure government information systems.”
The Trump Administration has taken action with executive order 13800 issued in May of 2017, titled Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.
However, the scale, breadth and depth of the issues faced by these Federal Agencies are so significant, they will not be remediated any time soon. The US Federal Government and its citizens will be exposed to significant cyber threats for a very long time to come.
