Last week the Senate Homeland Security and Governmental Affairs committee’s minority staff released a 19-page assessment titled “The Federal Government’s Track Record on Cybersecurity and Critical Infrastructure.” Retiring Sen. Tom Coburn, R-Okla., sponsored the assessment. The footnoted assessment draws on more than 40 agency audits and inspector general reviews.
Coburn’s short and readable document supports its high-tech horror story with vivid, near-slapstick examples of bonehead stupidity and reckless laziness.
Slapstick and bonehead by “The Three Stooges” is comedy. Persistent, uncorrected cybersecurity errors by agencies handling extremely sensitive information is a scandal with the potential for tragedy.
By reputation, the Nuclear Regulatory Commission is a tech-savvy organization. When President Gerald Ford signed the NRC’s authorizing legislation, he said that licensing and regulating the civilian use of nuclear materials is a complicated job with “special potential hazards.”
Nuclear reactors must be protected from earthquakes, terrorists and cyberattacks on the computers monitoring their output. However, investigators discovered that the NRC “stored sensitive cybersecurity details for nuclear (power) plants on an unprotected” computer. Storing security data for reactor computers on a non-secure computer is beyond bonehead.
On to money. Regulating and insuring the integrity of U.S. stock markets is a central function of the SEC.
However, the SEC “routinely exposed extremely sensitive” New York Stock Exchange computer network data, including cybersecurity methods and procedures. The 2013 hack on Target stores compromised customer data and financially damaged the discount chain. The NYSE is a bigger target than Target. Hacking the Big Board wreaks global financial damage. Bonehead security sloppiness at the SEC, the NYSE’s chief government regulator and policeman, gave hackers and terrorists the inside skinny on the market’s IT defenses.
The report damns the U.S. Army Corps of Engineers. Hey, Corps’ IT security is much worse than my pun. In January 2013, hackers penetrated Corps’ computers, filching a “non-public database” with information on “the nation’s 85,000 dams.” The data included assessments of “each dam’s condition, potential for fatalities if breached, (its) location and nearest city.”
These sensational examples of inexcusable IT malfeasance appear on the report’s introductory page. They reveal the compromise of sensitive regulatory data fundamental to each agency’s central regulatory mission. Though sensational, they are representative. Other agencies have similar horror stories, including the Department of Defense, Department of Energy, the IRS, NASA, the FDA and Homeland Security. Homeland Security has experienced numerous problems in its cybersecurity office and its component agencies. The IRS bleeds sensitive taxpayer information.
Sophisticated hackers are a constant threat to everyone — individuals, businesses and government agencies. However, IG investigators found that many government breaches involve exploiting “mundane weaknesses.” These include failure to install software patches and using weak passwords. Investigators often found passwords written on a worker’s desk right beside a classified computer.
The government has issued numerous directives. “The National Institute of Standards and Technology, the government’s official body for setting cybersecurity standards, has produced thousands of pages of precise guidance on every significant aspect of IT security. And yet agencies — even agencies with responsibilities for critical infrastructure or vast repositories of sensitive data — continue to leave themselves vulnerable, often by failing to take the most basic steps towards securing their systems and information.”
Lots of taxpayer money buys little cyberdefense. Since 2006, the federal government has spent at least $65 billion on computer and network security.
Despite the big bucks, security management, meaning security oversight and leadership to ensure oversight, is inconsistent. Sloppiness and boneheadedness undermine discipline and thoughtful vigilance.
This is a major national security scandal. It is time for the boneheads to roll.