The US Department of Homeland Security, Department of Energy and other government agencies have serious security shortfalls – from weak passwords to failures in patching critical software – that have left the agencies vulnerable to attack, according a report issued on 4 February by the minority staff of the US Senate Homeland Security and Governmental Affairs Committee.
The report, published by Republican senator Tom Coburn and compiled from public sources, found that US agencies had major concerns about the most basic security controls: software updating, weak and default passwords, poorly secured websites and failure to report breaches. The government agencies are so busy preparing reports and satisfying auditors that they are not locking down the most critical security issues, Alan Paller, director of research for the SANS Institute, a security education and training organisation, told eWEEK.
By highlighting those issues, the report should call attention to the need for better security processes, he said. “The report is the best summary I have seen of the government’s failure to establish a high standard and to lead by example,” he said.
Considering its responsibility for leading the government’s efforts to secure networks, the DHS’ failures are particularly egregious, the report stated.
“Since it was selected to shoulder the profound responsibility of overseeing the security of all unclassified federal networks, one might expect DHS’ cyber protections to be a model for other agencies, or that the department had demonstrated an outstanding competence in the field,” the report stated. “But a closer look at DHS’ efforts to secure its own systems reveals that the department suffers from many of the same shortcomings found at other government agencies.”
The reported noted that the Office of Management and Budget found that the DHS deployed less security software, encryption and security awareness training than the average of other government agencies. The agency is also behind on plans to lock down its communications: The DHS aimed to have 95 percent of all communications routed through specific trusted Internet connections (TICs), but so far, only 72 percent of traffic flows through the TICs.
The government has spent at least $65 billion (£40bn) on computer security since 2006, according to the Congressional Research Office (CRO). Until government agencies focus on what really matters, more money will be wasted, Paller said.
“As long as the agencies are being driven by their auditors to focus on important but not ‘most important’ controls, the federal government will continue to be easy pickings and a bad example for the nation,” he said.
Are you a security pro? Try our quiz!
Originally published on eWeek.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…