The Senate Homeland Security and Governmental Affairs Subcommittee on Investigations recently released a report criticizing a number of federal agencies for a failure to fix security vulnerabilities in their IT infrastructure over the last 10 years.
As if right on cue, the International Association of IT Asset Management (IAITAM), a Canton, Ohio-headquartered IT industry advocate founded in 2002, has accused the federal government of frittering away roughly $40 billion annually on unwise and ineffective security spending. No further delays are acceptable to fix the problem, the IAITAM said. The feds should move quickly to “build the wall that will protect taxpayers from cyberattacks from outside and billions of dollars in wasteful federal spending on Information Technology (IT) and IT security on the inside.”
The IAITAM’s leadership has been prodded by the bipartisan report, entitled Federal Cybersecurity: America’s Data at Risk, sponsored by subcommittee chairman Rob Portman (R-OH) and ranking member Tom Carper (D-DE). This latest review adds to a 2015 IAITAM volume, Understanding the Federal Government's IT Insecurity Crisis. That report concluded that half or more of the $70 - $80 billion the U.S. government spends each year on IT/IT security is wasted and actually leaves federal agencies in greater danger of breaches, lost and stolen hardware, the use of outdated software, missing software patches and other cybersecurity dangers.
In Carper and Portman’s audit, the Subcommittee reviewed 10 years of Inspectors General data on compliance with federal information security standards for the departments of State (DOS), Homeland Security (DHS), Health and Human Services (HHS), Transportation (DOT), Education (ED), Agriculture (USDA), Housing and Urban Development (HUD), and the Social Security Administration (SSA). The audit assigned ratings based on security functions set by the National Institutes of Science and Technology (NIST).
The results:
- Seven of the eight agencies failed to provide for the adequate protection of personally identifiable information (PII).
- Five agencies failed to maintain accurate and comprehensive IT asset inventories.
- Six agencies failed to timely install security patches and other vulnerability remediation actions designed to secure the application.
- All eight agencies use legacy systems or applications that are no longer supported by the vendor with security updates resulting in cyber vulnerabilities for the system or application
Some of Carper and Portman's findings had already been uncovered in the 2015 IAITAM report. For example, the America's Data at Risk document discovered untracked hardware and software at five of the eight agencies, an issue the advocacy group said “falls under the core” of its best practices. Having an up-to-date IT asset inventory is essential for any organization, regardless of size, the association said.
“You can’t build the wall we need to protect taxpayers and sensitive federal data by wasting billions more dollars on random IT spending and cybersecurity measures that vary wildly from federal agency to federal agency,” said IAITAM CEO Dr. Barbara Rembiesa, who authored the 2015 report. “By focusing largely on hacks and other breaches, elected officials and agency administrators are failing to take a bottom-up approach to the purchase, control, inventory, and proper destruction of such IT assets as software, computer hard drives and mobile devices. With no meaningful standards and controls in place across and even within federal agencies, the result is massive waste, inefficiency, and huge vulnerabilities that can easily be exploited by bad actors inside and outside of the system.”
On delivery of his and Carper’s report, Portman was no less critical of the failure of federal agencies to implement what he called “basic cybersecurity practices,” that resulted in exposing classified, personal and sensitive information.
“Hackers with malicious intent can and do attack federal government cyber infrastructure consistently. In 2017 alone, federal agencies reported 35,277 cyber incidents,” Portman said. “The federal government can, and must, do a better job of shoring up our defenses against the rising cybersecurity threats” he said.
