Sun Sentinel Broward Edition

Federal agencies vulnerable to hackers

Records point to security lapses in guarding networks

- By Ken Dilanian Associated Press

Investigat­ors say Congress and most government department­s aren’t taking cybersecur­ity seriously.

WASHINGTON — Passwords written down on desks. Outdated anti-virus software. “Perceived ineptitude” in informatio­n technology department­s.

The federal government, which holds secrets and sensitive informatio­n ranging from nuclear blueprints to the tax returns of hundreds of millions of Americans, has for years failed to take basic steps to protect its data from hackers and thieves, records show.

In the latest example, the Office of Personnel Management is under fire after its databases were plundered by suspected Chinese cyberspies in what is being called one of the worst breaches in U.S. history. OPM neglected to implement basic cybersecur­ity protection­s, its internal watchdog told Congress.

But the department­s of Treasury, Transporta­tion, State and Health and Human Services have significan­tly worse records, according to the most recent administra­tion report to Congress under the Federal Informatio­n Security Man- agement Act. Each of those agencies has been hacked in the past few years.

“Last year, across government, we the American people spent almost $80 billion on informatio­n technology, and it stinks,” said Rep. Jason Chaffetz, R-Utah, chairman of the House Oversight and Government Reform Committee.

Congress can hardly escape blame. While President Barack Obama’s latest budget plan called for a $14 billion increase for cyberdefen­ses, the House proposed a budget in March that didn’t include specific funding for cybersecur­ity. Nor has Congress imposed much accountabi­lity on agencies that suffer breaches.

The security lapses have persisted even as cyberattac­ks on government networks have increased.

The federal government dealt with 67,196 cyber incidents in the last fiscal year, up from 57,971 incidents the year before, according to the White House report card, which was published in February. Missing from that document is an accounting of how many hacks were successful and what was stolen. It’s not a new problem. The Government Accountabi­lity Office has la- beled federal informatio­n security a “high-risk area” since 1997. In 2003 it expanded the high-risk designatio­n to include computer networks supporting the nation’s critical infrastruc­ture. This year, it added “personally identifiab­le informatio­n” to the list, just in time to see hackers steal the Social Security numbers and other private informatio­n of nearly every federal worker.

But agency managers haven’t been punished for failing to secure their net- works, and little sustained attention has been paid to the intrusions.

“No one is ever held accountabl­e,” said James Lewis, a cybersecur­ity expert at the Center for Strategic and Internatio­nal Studies in Washington. Unlike in the corporate world, where the CEO of Target resigned last year after a breach of customer data, “it’s been penalty free, and senior leadership doesn’t really care about this.”

The OPM debacle may change that. It has dealt the country a national security blow, experts say, by exposing the personal informatio­n, and foreign contacts, of millions of people with security clearances.

After the OPM attack, the federal chief informatio­n officer, Tony Scott, ordered agencies to speed implementa­tion of new security measures and fix vulnerabil­ities.

But many agencies seem incapable of good security practices, say industry experts, who call for a new approach that moves be-

yond perimeter defenses and into sophistica­ted analysis of network behavior. Scott embraces that idea. But as the government deploys new technology to discover hacks, he said, “we’re going (to) find out some things previously unknown. It’s going to feel like the problem is getting worse, but it’s actually getting better.”

 ??  ??
 ?? CLIFF OWEN/AP ?? Utah Rep. Jason Chaffetz, center left, talks with Texas Rep. Will Hurd last week during a House committee hearing about a data breach at the Office of Personnel Management.
CLIFF OWEN/AP Utah Rep. Jason Chaffetz, center left, talks with Texas Rep. Will Hurd last week during a House committee hearing about a data breach at the Office of Personnel Management.

Newspapers in English

Newspapers from United States