The International Association of IT Asset Management (IAITAM) responded to the recently released “Federal Cybersecurity: America’s Data at Risk” report, which was released by U.S. Senators Tom Carper (D-DE) and Rob Portman (R-OH).The professional association for the IT industry said Washington needs to do a better job of protecting government agencies as well as taxpayers from outside cyberattacks. The IAITAM called out the government’s wasteful federal spending on Information Technology (IT) as well as the security that comes with it.
The Senate report, which is the product of the Permanent Subcommittee on Investigation’s 10-month review of decades’ worth of inspector general reports of core government agencies, highlighted the frequency of cybersecurity attacks against the federal government. From 2006 to 2015 the number of cyber incidents reported by various agencies increased by more than 1,300%. In just 2017, federal agencies reported 32,277 cyber incidents.
No agency is immune to attacks, the report found. The Government Accountability Office (GAO) has included cybersecurity on its “high risk” list every year since 1997, while over the past five years the United States Postal Service, the Internal Revenue Service and even the White House have reported data breaches. The largest breach of government information occurred in 2015 when hackers gained access to more than 22 million security clearance files from the Office of Personnel Management (OPM).
The report further highlighted that there is a likelihood that more breaches will occur. In total eight agencies, including the Department of Homeland Security, the Department of State, the Department of Education and the Social Security Administration, were all found to have vulnerabilities in their respective cybersecurity systems and practices.
According to the report, “the Federal government remains unprepared to confront the dynamic cyber threats of today.” It added that the state of cyber vulnerabilities highlighted by the Inspectors General illustrate the government’s failure to even meet basic cybersecurity standards to protect this data.
One factor for the increased breaches, the committee found, has been too much reliance on legacy systems – which include “outdated or obsolete system of information technology.” Examples in the report included the use of Windows XP and Windows Server 2003 for many internal systems at various agencies, despite the fact that Microsoft has long discontinued support for those operating systems. In one particular example, the Department of Transportation was noted for utilizing a 48-year-old computer system to track hazardous materials data, and that software program was only phased out in May and only because very few employees even knew how to use it!
Build the Firewall
Much of the recent Permanent Subcommittee on Investigation’s report mirrors IAITAM’s February 2015 report, “Understanding the Federal Government’s ‘IT Insecurity’ Crisis,” which concluded that half or more of the $70 to $80 billion the U.S. government spends each year on IT/IT security is wasted. IAITAM’s report also suggested that this leaves federal agencies in greater danger from breaches, lost and stolen hardware, the use of outdated software, missing software patches and other cybersecurity dangers.
“You can’t build the wall we need to protect taxpayers and sensitive federal data by wasting billions more dollars on random IT spending and cybersecurity measures that vary wildly from federal agency to federal agency,” said IAITAM CEO, and author of the 2015 report, Dr. Barbara Rembiesa via a statement.
“By focusing largely on hacks and other breaches, elected officials and agency administrators are failing to take a bottom-up approach to the purchase, control, inventory, and proper destruction of such IT assets as software, computer hard drives and mobile devices, Rembiesa added. “With no meaningful standards and controls in place across and even within federal agencies, the result is massive waste, inefficiency, and huge vulnerabilities that can easily be exploited by bad actors inside and outside of the system.”
In May, IAITAM had applauded President Donald Trump for signing an executive order that would foster efforts to improve the nation’s cybersecurity infrastructure. This followed a White House announced that it would increase the cybersecurity workforce and attempt to fill more than 300,000 vacancies. Part of those efforts included the framework created by the National Initiative for Cybersecurity Education (NICE). The White House also announced that the order would allow federal workers to be temporarily reassigned to other agencies as a way to increase their cybersecurity experience.
“America built the internet and shared it with the world,” President Trump said via a statement in May. “Now we will do our part to secure and preserve cyberspace for future generations.”
