This heading is the title of a report that was commissioned by the U.S. Senate to look into the cybersecurity / netsec / infosec practices of all of the top U.S. agencies (from FBI onward).
The embedded PDF can be read below:
The conclusions that the Senate report made about the agencies were pretty concerning.
Below are some of the takeaways from the extensive investigative research performed by the Senate investigation:
- "Seven agencies still fail at effectively securing data" (this is pretty fucking concerning)
- "While several of the agencies made minimal improvements in one or more areas"
- "In FY 2019 the agency responsible for implementing cybersecurity standards across the Federal Government received a failing grade for its own cybersecurity posture." (what the fuck?)
- "High vulnerabilities are considered entry points for hackers to breach an agency's network and significantly impact operations. The DHS IG has identified the failure to properly apply security patches at DHS for the last 12 years" (again, what the fuck?)
- "The State Department could not provide documentation for 60 percent of the sample employees tested who had access to the agency's classified network and left thousands of accounts active after an employee left the agency for extended periods of time on both is classified and unclassified networks."
- "The Department of Transportation (DOT) Inspector General found 14,935 IT assets belonging to the Department, including 7,231 mobile devices, 4,824 servers, and 2,880 workstations of which the Department had no record."
- "The Department of Housing and Urban Development (HUD) Inspector General found unauthorized 'shadow IT' on the agency's network..."
- "The Department of Agriculture (USDA) Inspector General found a significant number of high vulnerabilities on the agency's public facing websites that were unknown to the agency."
- "Two componentes at the Department of Health and Human Services (HHS) had not fully implemented DHS's flagship cybersecurity programs - a cyebr-intrusion deection system known as 'EINSTEIN' that identifies known threats to the network and has been required by law for five years, and a program called Continuous Diagnostics and Mitigation, whiich the Department asserted it could not force its subordinate components to implement."
- "In a test the Department of Education's security, the Inspector General was able to exfiltrate hundreds of sensitive PII files, including 200 credit card numbers without the agency detecting or blocking it." (sigh)
- "At least even of the eight agencies still operated unsupported legacy systems. Only one agency's inspector general did not cite it for continuing to operate legacy information technology in FY 2020, HHS, and the Government Accountability Office has historically noted at least three legacy systems at HHS, including its Medicare Benficiary Enrollment system."
- "The highest grade received was a B, awarded to the DHS"
- "It is clear that the data entrusted to these eight key agencies remains at risk. As hackers, both state-spnosored and otherwise, become increasingly sophisticated and persistent, Congress and the executive branch cannot continue to allow PII and national security secrets to remain vulnerable."
- "According to agenchy inspectors general, the average grade of the large Federal agencies' overall information security maturity was 'C-'" (this is really troubling to be honest because it means that the country is still just not even attempting to take any of this shit seriously.