US Homeland Security found SEC had ‘critical’ cyber weaknesses
The US Department of Homeland Security detected five “critical” cyber security weaknesses on the Securities and Exchange Commission’s computers as of January 23, 2017, according to a confidential weekly report reviewed by Reuters.
The report’s findings raise fresh questions about a 2016 cyber breach into the US market regulator’s corporate filing system known as “EDGAR.” SEC chairman Jay Clayton disclosed late on Wednesday that the agency learned in August 2017 that hackers might have exploited the 2016 incident for illegal insider trading.
The January DHS report, which shows its weekly findings after scanning computers for cyber weaknesses across most of the federal civilian government agencies, revealed that the SEC at the time had the fourth most “critical” vulnerabilities.
It was not clear if the vulnerabilities detected by DHS are directly related to the cyber breach disclosed by the SEC. But it shows that even after the SEC says it patched “promptly” the software vulnerability after the 2016 hack, critical vulnerabilities still plagued the regulator’s systems.
The hack, two weeks after credit-reporting company Equifax said hackers had stolen data on more than 143 million US customers, has sent shockwaves through the US financial sector.
An SEC spokesman did not have any comment on the report’s findings.
It is unclear if any of
The report’s findings raise fresh questions about a 2016 cyber breach into the US market regulator’s corporate filing system known as ‘EDGAR.’
those critical vulnerabilities, detected after a scan of 114 SEC computers and devices, still pose a threat.
During the Obama administration, such scans were done on a weekly basis.
“I absolutely think any critical vulnerability like that should be acted on immediately,” said Tony Scott, the former federal chief information officer during the Obama administration who now runs his own cybersecurity consulting firm.
“This is what was at the root of the Equifax hack. There was a critical vulnerability that went unpatched for a long period of time. And if you’re a hacker, you are going to try to see if you can exploit it in some fashion or another. So there is a race against the clock.”
For the past several years, the department of Homeland Security has been producing a report known as the “Federal Cyber Exposure Scorecard.” It provides a weekly snapshot to more than 80 civilian government agencies about potential outstanding cyber weaknesses and how long they have persisted without being patched.
A directive by Homeland Security requires agencies to address critical vulnerabilities within 30 days, though sometimes that deadline can be difficult to meet if it might disrupt a government system.
The January snapshot shows improvements have been made across the government since May 2015, when there were a total of 363 critical vulnerabilities on devices across all of the civilian agencies, according to the report.
As of January 23, by contrast, there were a total of 40 critical vulnerabilities across the agencies reviewed by DHS and another 280 weaknesses categorised as “active high,” which is the second more severe category.
The top four agencies with the most “critical” vulnerabilities as of January 23 included the Environmental Protection Agency, the department of Health and Human Services, the General Services Administration and the SEC.