Nearly three months after a fevered Obama administration attempt to bolster security against cyber-hackers who tapped into the private information of some 25 million federal employees, cybersecurity experts say there is still no comprehensive plan to protect the sprawl of 10,000 government and contractor computer systems.
Among the noteworthy gaps: a cybersecurity “strategy and implementation plan,” which the White House said last July would be the work of “a team of over 100 experts from across the government and private industry.” A spokesman for the White House Office of Management and Budget provided no answer to a specific question from Fox News about the timing of the plan’s release.
New comprehensive software defenses that the administration intends as a major security bulwark also appear to be a work in progress: a $1 billion award to the prime contractor for the design, development and maintenance of a so-called National Cybersecurity Protection System (NCPS), also known as EINSTEIN, was only announced at the end of September.
Meanwhile, the experts charge, government agencies apparently still don’t perform routine security tasks that are commonplace in the private sector, there is little evidence that the Obama administration is holding top agency officials accountable for the laxness, and literally hundreds of recommendations to government agencies on how to enhance security remain unaddressed.
Even when it comes to using the steady stream of software update patches that bolster most software systems, “they aren’t that good at it on a consistent basis,” says Gregory Wilshusen, director of information security issues at the Government Accountability Office (GAO), the watchdog arm of Congress.
Whatever improvement has occurred is “incremental,” Wilshusen told Fox News, and pointed in particular at the government’s glacial response to recommendations for improvement that largely come from GAO and other watchdogs. In GAO’s case, he noted, “between fiscal 2011 and fiscal 2015 we have made 1,590 recommendations on information security issues, and of those about one-half are still not implemented.”
“It’s almost as if the different departments and agencies feel someone else has their job.”
- Theresa Payton, former White House chief information officer
A GAO report released at the end of September on the administration’s information security practices reinforces Wilshusen’s contentions of glacial improvement at best. Using interviews at six selected agencies and information from inspectors general working at 24 federal agencies and departments, the document finds that virtually all of them have major difficulties in “limiting, preventing, and detecting inappropriate access to computer resources,” ranging from patch installation to much bigger issues of having plans to manage the risks of potential information security breaches.
At the same time, the report notes, cyberattacks involving personal information of federal employees or contractors have risen to 27,624 in 2014 from 10,481 in 2009.
Those numbers likely include a series of mega-attacks whose existence was only revealed this year that involved the personal information and intimate background checks, as well as fingerprints, of millions of current and former federal employees, and that could compromise the entire U.N. national security system.
Along with the biggest attacks at the White House Office of Personnel Management, and its related contractors, the report notes that intrusions compromised the personal information of 800,000 Postal Service workers, 14,000 personal information accounts at the Food and Drug Administration, and about 330,000 IRS tax accounts.
The litany of reported lax security practices include such areas as:
- weaknesses in access controls for 22 of the 24 agencies examined, meaning who could get in and out of systems;
- weaknesses in authorization controls in 18 agencies, meaning who was allowed specific levels of access in the systems -- and whether they should have lost those authorizations for such reasons as quitting or being transferred. The good news was that in 2013, 20 agencies had problems.
- on the issue of installing patches and software updates, 17 agencies had reported weaknesses in 2014, down from 23 the previous fiscal year, but still more than 70 percent of those surveyed.
- at the same time, 22 agencies had weaknesses in so-called configuration management, which it described as controls that “limit and monitor access to powerful programs and sensitive files associated with computer operations, [and] are important in providing reasonable assurance that access controls and the operations of systems and networks are not compromised.”
- Seven agencies did not have so-called risk management plans, which the report describes as the “harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information or information systems. Wilshusen called that a “basic, fundamental principle” of information security that is, moreover, “required by law.”
CLICK HERE FOR THE REPORT
“It’s almost as if the different departments and agencies feel someone else has their job,” observed Theresa Payton, who served as White House chief information officer from 2006 to 2008, and now runs her own cyber-security consulting firm, Fortalice Solutions.
Payton described herself as “floored” at the notion of access control lapses at any agency, which she described as “vitally important,” and said failure to “lock down” security contractor-operated networks entwined with federal agencies -- the report says there are some 1,500 of them -- was “borderline negligence.”
Even day-to-day activities like patching systems when required, she points out, are vital to security, since “if it’s updateable, it’s breachable.”
The administration’s response to the GAO report and related criticisms is that it is outdated, according to Jamal Brown, a spokesman for the White House Office of Management and Budget (OMB), one of the overseers of federal cybersecurity. Data for the report, he notes, largely came from “previous years and did not fully reflect the most recent efforts by federal agencies” under the goad of the cyber-sprint.
Earlier this year, Brown noted, “Federal civilian agencies increased their use of strong authentication for privileged and unprivileged users by 30 percent,” and he hailed an update of federal information security management laws at the end of 2014 for “better delineating the roles and responsibilities of the OMB and the Department of Homeland Security in securing federal networks and our ability to provide clearer guidance to federal agencies.”
The attainments that Brown cited are also mentioned in greater detail in a July 21 blog post by White House Chief Information Officer Tony Scott that hailed the results of the cyber-sprint -- and also revealed how much catch-up was required, and still remains.
The increase in “strong authentication” for network access -- meaning swipe card IDs or other tools -- brought federal civilian agencies, on average, up from 42 to 72 percent of users -- meaning that more than a quarter of users still did not have that required status.
The same went for “privileged” users, meaning those with greater access and ability to change systems. Previously, only one-third of such users had strongly protected credentials; a quarter still need them, according to the blog.
Scott added that 13 of 24 agencies had gotten the tally up to 95 percent of privileged users -- implying that for the remaining agencies, the proportion must therefore be significantly lower than the three-quarters average.
Other results of the sprint ostensibly included the “immediate” patching of “critical vulnerabilities” and tight limits on the number of “privileged users with access to authorized systems,” but Scott did not report detailed progress in those areas -- which means that the “outdated” criticism of federal sclerosis may not be all that outdated.
As the GAO’s Wilshusen puts it, “we need more of a marathon, not a sprint. What is required is continuity in day-in and day-out basics,” which the GAO report found lacking. He also said “the jury is still out” on the latest changes in information security law, which require individual federal agencies to identify risks and correct them “in a timely manner.”
“We don’t need one 30-day sprint,” adds Payton. “We need another and another and another.” Much of which was accomplished during that fast-track period, she notes, “was stuff they were supposed to do anyway.”
“At the end of the day, if the administration doesn’t hold the departments and agencies accountable,” not much will change, she said.
And if that is true, whoever is stealing America’s most sensitive information will likely continue to have a field day.
George Russell is editor-at-large of Fox News and can be found on Twitter: @GeorgeRussell or on Facebook.com/GeorgeRussell