from the giant-wheel-of-dysfunction dept
Three years ago a US Senate Committee report showcased that the U.S. government’s cybersecurity defenses were the IT equivalent of damp cardboard. The study found numerous government agencies were using dated systems that were expensive to maintain but hard to properly secure. It also noted how from 2008 to 2018, the government repeatedly failed to adequately protect sensitive data at the Social Security Administration and Departments of Homeland Security, State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services, and Education.
Three years have gone by and guess what: very little has actually changed. The latest 47 page report (pdf) found that little meaningful improvement was made in the last three years, with cybersecurity at those same eight federal agencies earning four grades of D, three Cs, and a single B:
“It is clear that the data entrusted to these eight key agencies remains at risk. As hackers, both state-sponsored and otherwise, become increasingly sophisticated and persistent, Congress and the executive branch cannot continue to allow PII and national security secrets to remain vulnerable.”
This report is just one of countless instances over the last two decades where the government was warned that it’s expensive, shitty, dated systems simply weren’t secure. In this report, of the eight agencies, only the DHS showed meaningful improvements in IT security:
“What this report finds is stark. Inspectors general identified many of the same issues that have plagued Federal agencies for more than a decade. Seven agencies made minimal improvements, and only DHS managed to employ an effective cybersecurity regime for 2020. As such, this report finds that these seven Federal agencies still have not met the basic cybersecurity standards necessary to protect America?s sensitive data.”
Much like election security, there’s a lot of bloviation and consultant bucks that get thrown around — often with little to show for it. DC lawmakers often talk a lot about the importance of cybersecurity, but only as so far as it pertains to being helpful in terms of partisan fear mongering, lining the pockets of campaign contributors, weakening encryption for their own surveillance purposes, or protecting the interests of dominant domestic corporations. But when it comes to taking actual, intelligent, meaningful action (like oh, shoring up the security nightmare that is the internet of broken things), we fail repeatedly.
The report of course comes about seven months after Russian government sponsored hackers used a massive supply chain attack to gain access to systems at numerous US government agencies and over 100 corporations. And just four months after Chinese government sponsored hackers breached multiple federal agencies by exploiting vulnerabilities in the Pulse Secure VPN. While both events have taken the usual DC consternation, hand wringing, and big dollar consultant payouts in to new levels, who the hell knows if any of it leads to actual, meaningful reform.