Federal agencies ignore cyber security while breaches continue

by Steve Blum • , ,

Cyber security at federal agencies continues to be so bad that the Government Accountability Office is throwing up its hands and saying we’ve already told you what needs to be done, so just do it

While federal agencies are working to carry out their [Federal Information Security Modernization Act]-assigned responsibilities, they continue to experience information security program deficiencies and security control weaknesses in all areas including access, configuration management, and segregation of duties. In addition, the inspectors general evaluations of the information security program and practices at their agencies determined that most agencies did not have effective information security program functions. We are not making new recommendations to address these weaknesses because we and the inspectors general have previously made hundreds of recommendations. Until agencies correct longstanding control deficiencies and address our and agency inspectors general’s recommendations, federal IT systems will remain at increased and unnecessary risk of attack or compromise.

The report is a good primer on cyber security threats and best practices. It includes some telling examples. The Internet Revenue Service’s website allowed access to private data, using personally identifiable information about taxpayers that’s available elsewhere. In another breach, thousands of treasury department documents walked out the door with a former employee…

Concurrent with a new policy that restricted employees’ use of removable media devices to prevent users from downloading information onto the devices without approval and review, the agency began reviewing employee downloads to removable media devices. During the review, it identified a significant change in download patterns for a former employee in the weeks before the employee’s separation from the agency. The former employee had downloaded approximately 28,000 files that may have contained controlled unclassified information onto two encrypted external thumb-drive devices. As of October 2016, the agency had been unable to recover the devices storing the files.

The next time a federal agency demands a back door into private sector platforms or encryption systems, this report accompanied by a simple no should be all the answer that’s required.