DHS, DOJ, DOD, EPA, NASA, Energy, State routinely hacked
A new report by Sen. Tom Coburn (R., Okla.) details widespread cybersecurity breaches in the federal government, despite billions in spending to secure the nation’s most sensitive information.
The report, released on Tuesday, found that approximately 40 percent of breaches go undetected, and highlighted “serious vulnerabilities in the government’s efforts to protect its own civilian computers and networks.”
“In the past few years, we have seen significant breaches in cybersecurity which could affect critical U.S. infrastructure,” the report said. “Data on the nation’s weakest dams, including those which could kill Americans if they failed, were stolen by a malicious intruder. Nuclear plants’ confidential cybersecurity plans have been left unprotected. Blueprints for the technology undergirding the New York Stock Exchange were exposed to hackers.”
Nearly every agency has been attacked, including the Departments of Homeland Security, Justice, Defense, State, Labor, Energy, and Commerce. NASA, the EPA, the FDA, the U.S. Copyright Office, and the National Weather Service have also been hacked or had personal information stolen.
In one example, hackers breached the national Emergency Broadcast System in February 2013 to broadcast “zombie attack warnings” in several midwestern states.
“Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living,” the message said. “Do not attempt to approach or apprehend these bodies as they are considered extremely dangerous.”
“These are just hacks whose details became known to the public, often because the hackers themselves announced their exploits,” the report said. “Largely invisible to the public and policymakers are over 48,000 other cyber ‘incidents’ involving government systems which agencies detected and reported to DHS in FY 2012.”
Based on more than 40 audits by agency watchdogs, the report takes a closer look at the worst offenders, including the departments of Homeland Security, Energy, Education, the Securities and Exchange Commission, and the IRS.
Each year the Government Accountability Office (GAO) identifies roughly 100 cybersecurity weaknesses within the IRS, whose computers “hold more sensitive data on more Americans than those of perhaps any other federal component.”
IRS computers had over 7,000 “potential vulnerabilities” as of March 2012, due to the failure to install “critical” security software, a problem the agency said would be fixed within 72 hours. Instead, it took an average of 55 days to install the patches.
Only 72 percent of DHS Internet traffic passes through Trusted Internet Connections (TICs), and the agency has failed to install security patches on servers that contain intelligence from the U.S. Secret Service.
The Nuclear Regulatory Commission, which contains volumes of information on the nation’s nuclear facilities, “regularly experiences unauthorized disclosures of sensitive information,” according to the report.
The agency has “no official process for reporting” breaches, cannot keep track of how many laptops it has, and kept information on its own cybersecurity programs, and its commissioner’s “passport photo, credit card image, home address, and phone number,” on an unsecure shared drive.
Full article: Report: 4 in 10 Government Security Breaches Go Undetected (Washington Free Beacon)