1(630)802-8605 Ravi.das@bn-inc.net

When it comes to Cybersecurity, we all like to blame somebody else for the misfortunes that have happened. For example, if we work for a business or corporation that has been hacked into, we all like to blame the CIO or the CISO for not being proactive enough in their stances to safeguard the organization.  Or, if we fall victim to credit card theft, the blame always goes to the place we have shopped at or even ate at.

But now, there seems to be a new trend in this blame game:  The United States Federal Government.  Although under these current conditions, they are a very easy target, even despite some of the efforts that Trump has taken to bolster Cybersecurity (these are one of the few things that I will give him credit for). 

The blaming of our own Federal Government has now taken a step for the worse as two Senators, Rob Portman (R-OH) and Tom Carper (D-DE), published a scathing report about the security weaknesses and vulnerabilities that currently exist.

They examined two Presidential Administrations and eight Federal Agencies, which include the following:

*The Department of State;

*The Department of Transportation;

*The Department of Housing and Urban Development;

*The Department of Agriculture;

*The Department of Health and Human Services;

*The Department of Education;

*The Social Security Administration. 

According to their report, the above-mentioned Federal Agencies have been deemed to have the worst levels of “Cyber-Hygiene”, thus putting the security of Americans at even more risk and danger.  The Department of Education was deemed to “the worst of the worst” in that has been unable to prevent unauthorized outside wireless devices from easily connecting to the agency’s network.

For example, in a 2018 audit, it was discovered that the agency had managed to restrict unauthorized access to 90 seconds into its internal network. But this is also just enough time for a Cyberattacked to “launch an attack or gain intermittent access to internal network resources that could lead to” exposing the agency’s data. 

Here are other key findings from the Senator’s report:

*All of the above-mentioned Federal Agencies failed to provide for the adequate protection of personally identifiable information (PII);

*Six of the Federal Agencies failed to install security patches and other updates designed to secure their servers and software applications;

*All seven of the Federal Agencies mentioned above use legacy systems or applications that are no longer supported by the vendor. This results in Cyber based vulnerabilities and weaknesses for the systems or applications in question;

*The Department of Homeland Security has failed to address Cybersecurity weaknesses for at least a decade;

*The State Department had reoccurring cybersecurity vulnerabilities, some of which were outstanding for over five years;

*The Department of Transportation Inspector General Discovered Cybersecurity weaknesses at the agency that were outstanding for at least ten years;

*The Department of Agriculture had reoccurring Cybersecurity issues that have persisted for as long as 10 years;

*The Social Security Administration exhibited persistent Cybersecurity issues risking the exposure of the PII of 60 million Americans who receive Social Security benefits.  

My thoughts on this?

The Senator’s report outlined in detail what should be done to alleviate these mission critical gaps, but I am not going to state them here.  Rather, is the same type of recommendations that the Cybersecurity industry gives to the C-Suite, and even to the American public.  If you really want to see these recommendations, here is the link, and scroll towards the bottom:

https://www.securitymagazine.com/articles/90436-federal-agencies-cybersecurity-failures-leaving-americans-personal-information-at-risk

Based upon some of these preliminary findings, it appears that these most “at risk” Federal Agencies have Cybersecurity issues for at least a decade, if not longer.  My question is, and as anybody would ask, how could this go on for so long?  Didn’t anybody know what was going on?  Where were the IT Security staff in these cases?  Yes, one could say that our Federal Government is slow to act on things, but isn’t this a bit too slow?

There is really no excuse for this, and even I cannot understand it.  We already lived through one horrible nightmare with 9/11, is the Federal Government wanting to have something to happen to it again, on the same scale, but this time where it can greatly impact Critical Infrastructure, such as our food supply, water supply, electrical utility grids, nuclear facilities, etc.?

It seems that way to me, in a lot of ways.  Keep in mind that these vulnerabilities and weaknesses will take at least as long or even longer to fix, as they have been prevalent even during the 1990s.  It never really struck me how much security prone our own Federal Government is until after I read this article.

I knew there were issues, but it always appeared to me, as a Cybersecurity journalist, that any weaknesses or vulnerabilities were being fixed.  But perhaps all that has been presented was just smoke and mirrors?  Probably so.  This just only underscores the fact the United States as a whole, is just one huge prey for a nation state actor to jump on.  I am surprised that it has not yet happened on a catastrophic level yet.

I don’t mean to be a doomsday and pessimistic person, but I am speaking the truth here.  This is stuff that should be taken seriously at all levels, and even through Corporate America itself.  As mentioned, it is very easy to blame the CIO or the CISO, but the Federal Government needs to be put under the microscopic eye as well. 

We, as American citizens, want to protect ourselves and our families, but unfortunately, ours is a society is a based where learning is done by leading with example.

After all, if our own leaders cannot do it (and I am talking both in the Federal Government and Corporate America), how do you expect the average American to follow suit?

Just something to think about.  As we approach our Independence Day next week, I am sure that the thought of Cybersecurity was never even dreamed of.  But the reality is now, although we may be the strongest nation on earth in terms of military power, we also need to equate that to the level of securing our Cyber and Digital lines of defense as well.

Finally, the Senators report can be downloaded from this link:

https://www.portman.senate.gov/sites/default/files/2019-06/2019.06.25-PSI%20Report%20Final%20UPDATE.pdf