A report by the Permanent Subcommittee on Investigations takes an in-depth look into agency cybersecurity and recommends several actions to address vulnerabilities. The report documents the extent to which the federal government is the target of cybersecurity attacks, how key federal agencies have failed to address vulnerabilities in their information technology (IT) infrastructure, and how these failures have left America’s sensitive personal information unsafe and vulnerable to theft.
When it comes to cybersecurity attacks, federal government agencies are often the prime target. Ever since 1997, the Government Accountability Office (GAO), has included cybersecurity on its “high risk” list. This is compounded by statistics that highlight the increase in cybersecurity attacks over time. For example, according to the report, “from 2006 to 2015, the number of cyber incidents reported by federal agencies increased by more than 1,300 percent.” Furthermore, “In 2017 alone, federal agencies reported 35,277 cyber incidents.”
No agency is immune to attack, in fact the list of federal agencies compromised by hackers is steadily increasing. For instance, over the past five years, the United States Postal Service, the Internal Revenue Service, and the White House, have all reported data breaches. And this is not an exhaustive list, the full impact that cybersecurity attacks have had on our national security may never be known.
When looking at the current cybersecurity posture of the federal government, the rise in attacks is unsurprising. Recently, the Office of Management and Budget (OMB), released a report detailing the stance of agencies when it comes to cybersecurity. According to the report, agencies, “do not understand and do not have the resources to combat the current threat environment.”
During the Subcommittee review, it was revealed that several agencies fail to comply with basic cybersecurity standards. The Subcommittee report states, “In the most recent audits, the Inspector Generals (IGs) found that seven of the eight agencies reviewed by the Subcommittee failed to properly protect personally identifiable information (PII).” Additionally, “Five of the eight agencies did not maintain a comprehensive and accurate list of information technology (IT) assets.” and, “Six of the eight agencies failed to install security patches.” The review also found that multiple agencies, across multiple years, failed to ensure systems had valid authorities to operate.
All of the agencies mentioned in the report used legacy systems that were costly and difficult to secure. In the past decade, many of the same inadequacies have been reported. The IGs identified several common historical failures at the eight agencies reviewed by the Subcommittee:
- Failure to properly protect the PII entrusted in their care
- Failure to maintain an accurate and comprehensive inventory of IT assets
- Failure to timely remediate cyber vulnerabilities and apply security patches
- Failure to ensure systems had valid authorities to operate
- Over-reliance on legacy systems
In addition to the report’s comments on the over-reliance on legacy systems, the 2019 budget request released by President Trump further addresses the risks posed by this conundrum. He said, “ legacy systems pose efficiency, cybersecurity, and mission risk issues, such as ever-rising costs to maintain them and an inability to meet current or expected mission requirements. Legacy systems may also operate with known security vulnerabilities that are either technically difficult or prohibitively expensive to address and thus may hinder agencies’ ability to comply with critical cybersecurity statutory and policy requirements.”
In response to these problems, an effort to prioritize agency cybersecurity has been made. Congress had established the position of Chief Information Officer (“CIO”) in 1996. Over the years, congress has increased the amount of responsibility given to agency CIOs numerous times. Despite new authorities being given to CIOs, agencies still struggle with empowering them. The report states, “in August 2018, GAO found that none of the 24 major agencies—including the eight examined by the Subcommittee—properly addressed the role of CIO as Congress directed.” Given the sustained vulnerabilities identified by numerous Inspectors General, the Subcommittee had found that the federal government has not fully achieved its legislative mandate under FISMA and is failing to implement basic cybersecurity standards necessary to protect America’s sensitive data.
The Subcommittee made several recommendations in its report:
- OMB should require agencies to adopt its risk-based budgeting model addressing blind IT spending. This process links agency IT spending to FISMA metrics to help agencies identify cybersecurity weaknesses that place the security of agency information at risk. Agencies currently use their limited IT funds on capabilities for perceived security weaknesses instead of using those funds on the security risks most likely to be exploited by hostile actors. The Subcommittee says OMB should report to Congress whether legislation is needed.
- Federal agencies should consolidate security processes and capabilities commonly referred to as Security Operations Centers (SOCs). This would provide agencies with better visibility across their networks.
- OMB should ensure that CIOs have the authority to make organization-wide decisions regarding cybersecurity. This authority was provided to CIOs in 2014 with the enactment of FISMA, but the Subcommittee discovered that this is not being implemented as Congress intended. Without this authority, agencies have no senior officer to hold personnel accountable to security standards and implement policies that strengthen the agency’s information security program. The Subcommittee adds that Congress should consider whether legislation is needed.
- OMB should ensure that CIOs are reporting to agency heads on the status of its information security program as mandated by FISMA. The Subcommittee says agency heads often exclusively rely upon CIOs and Chief Information Security Officers (CISOs) for matters of information security and this detracts from the leadership accountability necessary for agency-wide improvements. To ensure this line of communication, the Subcommittee says CIOs should submit quarterly reports to agency heads detailing agency performance against FISMA metrics and return on investment for existing cybersecurity capabilities.
- Federal agencies should prioritize cyber hiring to fill CIO vacancies and other IT positions critical to agency cybersecurity efforts. To facilitate this prioritization, OMB should determine if additional flexibility is needed across the government for cyber hiring and suggest any legislation necessary to Congress.
- OMB should consider reestablishing CyberStat or regular in-person reviews with agency leadership to focus on cybersecurity issues and generate actionable recommendations to accelerate the fortification of government networks. OMB should also include a summary of the value added by these reviews in its annual FISMA report to Congress.
- In developing shared services for cybersecurity, DHS should consult agency CIOs to ensure that the proposed service will be widely utilized. When DHS launches a shared service, it should consider piloting the service with a small number of agencies to confirm operability and functionality. As the Quality Service Management Office for cybersecurity, DHS should include a summary of the five-year services implementation plan required by OMB in its annual FISMA report to Congress.
- All federal agencies should include progress reports on cybersecurity audit remediation in their annual budget justification submission to Congress. Agencies should also include a description of the OMB approved business case in the budget justification for modernized technology or services for which OMB designated a Quality Service Management Office to demonstrate that a separate procurement results in better value.
- Federal agencies should create open cybersecurity recommendation dashboards. Once created, each agency should submit to Congress every six months metrics on audit recommendation closure rates and accomplishments. Each agency head should also be briefed and approve the agency’s plan for addressing open cyber recommendations.
The Subcommittee will continue to track federal agency cybersecurity to ensure agencies meet FISMA’s primary legislative objective to secure government information systems.