Federal Cybersecurity: Not Even Good Enough for Government Work

Epic government fail, yet no one is responsible.



"You failed," said Rep. Jason Chaffetz (R-Utah), chairman of the House Oversight and Government Reform Committee. "You failed utterly and totally." The congressman was addressing federal officials at a hearing on the massive hack of the Office of Personnel Management (OPM). On June 4, the agency had revealed that hackers (most likely backed by the Chinese government) had ransacked its computers for months, stealing the personally identifiable information of between 4 million to 18 million federal government applicants and employees. The records taken included security clearance data in which employees revealed, among other things, their sexual transgressions, drug use, mental problems, and relatives living abroad. This may allow foreign agents to blackmail federal workers with access to sensitive information.

The federal government's vulnerability to hacking was well-known prior to this colossal cybersecurity failure. In February 2013, President Obama issued an executive order directing the U.S. attorney general, the secretary of homeland security, and the director of national intelligence to establish a national Cybersecurity Framework to protect critical infrastructure from cyberattacks. The minority staff of the Homeland Security and Governmental Affairs Committee issued a report in February 2014 detailing the manifold breakdowns of cybersecurity at numerous agencies. Federal information technology security remained weak even though the government had spent $65 billion on it since 2006. The Senate report found that, for example, the Department of Homeland Security (DHS) had failed to implement comprehensively even the most mundane security measures, such as routinely installing software updates and security patches, using strong passwords, updating anti-virus software, and fixing known vulnerabilities on DHS websites that "could allow a hacker to hijack user accounts, execute malicious scripts, or access sensitive information."

In April, Gregory Wilshusen, director of information security issues at the Government Accountability Office (GAO), testified that "19 of 24 major federal agencies reported that deficiencies in information security controls constituted either a material weakness or significant deficiency in internal controls over their financial reporting." He noted that the number of information security incidents reported to the U.S. Computer Emergency Readiness Team had more than doubled from 30,000 in 2009 to more 67,000 in 2014. The number of federal data breaches involving personally identifiable information had also more than doubled, from 10,481 in 2009 to 27,624 in 2014.

While the federal government is terrible at cybersecurity, the successful hacks into Target, Sony, JPMorgan Chase, and Anthem show that private sector companies are also vulnerable. In its 2013 Privatization Report, the Reason Foundation—the organization that publishes this website—argued nevertheless that because their assets, property, competitiveness and reputation are on the line when it comes to information security, private businesses have a much stronger motivation to protect their data and communications than do government agencies. And sure enough, of all the sectors of the U.S. economy, the federal government is dead last when it comes to cybersecurity, according the software security firm Veracode. In its new State of Software Security Report, the company benchmarks software security against the top 10 list of vulnerabilities identified by the Open Web Application Security Project. The company reports that "only 27 percent of identified vulnerabilities in government applications get remediated," leaving agencies open to just the sort of data breach that occurred at the OPM.

So what to do? First, the feds should make encryption of their databases and communications pervasive. As Bruce Schneier, a security expert with the Berkman Center at Harvard, points out, encryption "protects our data from criminals. It protects it from competitors, neighbors, and family members. It protects it from malicious attackers, and it protects it from accidents." Consequently, encryption should be ubiquitous and automatic, enabled for everything by default. This would also have the advantage of inhibiting domestic spying by government agencies.

The private sector is gradually taking Schneier's advice. An April survey of businesses conducted by Thales e-Security found that 36 percent are now implementing an enterprise-wide encryption strategy, up from 15 percent only 10 years ago.

Government agencies should also at long last adopt the mandatory personal identity verification standards that the DHS ordered in 2004. These credentials involve, among other things, issuing "smart cards" to government workers that give them access to agency information technologies. According to the GAO, as of February only 41 percent of percent of federal agency user accounts required such cards. 

Finally, the managers responsible for federal cybersecurity need to get fired for incompetence. "No one is ever held accountable," James Lewis pointed out to the Associated Press this week. Lewis, a cybersecurity expert at the Center for Strategic and International Studies, noted that the CEO of Target resigned over that company's data breach. The government's cyberdebacles, meanwhile, have been "penalty free," suggesting that "senior leadership doesn't really care about this."

On Thursday, Sen. Ron Johnson (R.-Wisc.) called federal cybersecurity efforts "grossly inadequate." He added that "agencies are concentrating their resources trying to dictate cybersecurity requirements for private companies, which in many cases are implementing cybersecurity better and more cheaply." Perhaps the feds should get their own house in order before trying to tell others how to protect themselves.

NEXT: Two Parents Weren't Sure How Their Little Girl Fractured Her Leg, So CPS Took the Kids

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. The article doesn’t have a link from

  2. It was also contractors’ info that was breached. Contractors automatically assume they’re not included when “Fed gov employees” are referenced.

  3. Security (DHS) had failed to implement comprehensively even the most mundane security measures, such as routinely installing software updates and security patches, using strong passwords, updating anti-virus software,

    I didn’t know the lab where I work was a part of the DHS.

  4. Honestly, the U.S. government should make “Epic Fail” its fucking motto now. In Latin, of course. Um, Epicus defectum?

      1. Crap. Really? Wrong again? Where’s John Cleese when you need him? I used to have smacky to translate things into Latin and Greek for me, but she’s gone to the place where all commenters go when they no longer comment.

        1. Etiam ut difficillime Google Translate

          1. Oh. You can’t trust Google. Not with Latin.

  5. This Privatization Report states that private companies have more incentive to secure their stuff, but it doesn’t provide much backing to the contention that they actually do secure their stuff.

    1. Both private corporations and governments have the same flaw: The people making the decisions have very little (if any) technical skills/background. Generally their claim to fame revolves around good hair, low golf scores, and the ability to glean informational nuggets from CIO Magazine. They don’t care if their decisions hurt the customers or the organization. All they care about is that they save $X, which directly translates to an annual bonus of $X/20.

      If I had my way, the publisher of CIO Magazine and others of that ilk would be declared cyberterrorists and dealt with. Harshly. Drawn and Quartered, then sent through a woodchipper. And their buildings converted to Section 8 housing.

  6. Good thing we have gay marriage and Obamacare to distract us. Otherwise, the media would have a tougher time ignoring the colossal fail that is our federal government.

    1. You forgot about the flag.

      1. Oh yeah, the Duke Boys and their White Supremacist car are also more important than this.

        1. Well, the flag did murder nine people.

          1. That’s why we need mandatory flag-locks.

  7. A better solution would be for the federal government to make all of their records public, since they’re at least theoretically accountable to the electorate.

    1. Yeah, explain to me how the government can keep secrets from me. I’m a fucking American citizen. I hereby demand electronic copies of all records and data held by the federal government. Sent to my gmail account.

      1. It’s for your own good. Now kiss the ring and genuflect.

        1. voicemode = Della_Reese

          Kiss my ENTIRE ass.

    2. That can be a problem if their records also contain your secrets…..d-numbers/

      The 76 new pages of data, covering 2005 through 2013, show that CBP retains massive amounts of data on us when we travel internationally. My own PNRs include not just every mailing address, e-mail, and phone number I’ve ever used; some of them also contain:

      The IP address that I used to buy the ticket
      My credit card number (in full)
      The language I used
      Notes on my phone calls to airlines, even for something as minor as a seat change

      The breadth of long-term data retention illustrates yet another way that the federal government enforces its post-September 11 “collect it all” mentality.

      1. That is all the more reason to make it public.

  8. Only way to really lock down a network and data is to make it proprietary from everything else.

    Spec a custom bastard of a closed OSI (CSI?), then build custom switches that understand no other protocol. Clients likewise, in addition to custom file system and no physical I/O on the box(es). Then encrypt the whole fucking thing, and run it only over parallel government Darknet (NSA centers & Sprint alt-backbone). Then spy that protocol for ‘anomalies.’ Security Done!

    But that’s a lot of work and planning and competence and stuff.

  9. Obviously the solution is to put Hillary Clinton in charge of “Federal Cybersecurity”, whatever *that* is.

    1. Mark every file “Benghazi” or “Lerner”. That makes them guaranteed to be inaccessible.

      1. That’s like the old joke about how to keep people from getting HIV:

        Give it an NSN, then no one can get it.

        (NSN=National Stock Number, the catalog number assigned by GSA for everything the government buys)

    2. No, she’s much more valuable investing in cattle futures.

      She turned $1k into $100k in 10months. She should pay off the National Debt before her first term is up.

  10. Is this thread safe from the…. you know?

    1. Of course not. I’ve assumed they monitor this site for yrs .

    2. Woodchippers?

  11. Man, how do ya’ll respond to each other so quickly when the system doesn’t give any sort of message telling you that someone has replied to your comment?

    1. They don’t work…no job, wife (cause we’re all men) or other distractions.

    2. By refreshing a lot. They also tend to use extensions like (Firefox) or reasonable (Chrome), which highlight unread posts.

      1. iCarl, thanks a lot man! This reasonable extension is dope.

  12. We’re all Gov’t employees now

    1. We’re not employees, we’re tax cattle.

  13. It only seems fair that US Federal data is accessed by others, given how much access they enforce on them — the Principle of Symmetry. It is that type of security laxness that allowed heroes such as Assange, Manning, and Snowden to give the US Federal Government’s victims an opportunity to see just how they have been and are victimized.

    It also provides a powerful argument for the US Federal Government to stop retaining information on private individuals, and to allow those individuals to use arbitrarily strong encryption to prevent their data from being accessed without explicit consent.

  14. A total hack…..
    (See Archuleta’s bio at OPM website)….
    Every pol she’s been associated with has been a disaster.

  15. Please folks. Don’t give them any new ideas.

    I work for a local government agency that receives federal funds. The reporting requirements are outrageous. Ney, impossible.

    All reporting is done electroniclaly these days. But, existing federal protocol requires that I change my password every 90 days. And, that password requires 12 character min, upper & lower case, numerals, special characters, no duplicates over 24 months and on and on.

    WTF? Is someone going to break into a federal system and do my reporting for me? What we report is relatively mundane operating data for a public transit system for crying out loud. It’s all public information to boot!

    I have literally, a password protected spreadsheet thirteen tabs, containing more than 300 passwords I have to use in my life now for both personal and business.

    Some of these federal reports I only submit once a year. But, if I don’t change my password every 90 days, I get locked out. I also have to keep the ED’s and our attorney’s password updated for the once a year they are supposed to log in and certify some document. Only, I’m usually the one who logs in as either of them and does the certification on their behalf.

  16. Note that all the NSA snooping and subpoenas filed against US citizens who say things the government doesn’t like failed to detect or prevent this event.

  17. This particularly grotesque case aside, it wouldn’t particularly surprise me that the Chinese are finding and using the very back doors the NSA installs in security software so they can unconstitutionally spy on Americans.
    Not sure why the NSA and the Chinese don’t just work together, since apparently their goals are pretty much the same.

  18. Start making cash right now… Get more time with your family by doing jobs that only require for you to have a computer and an internet access and you can have that at your home. Start bringing up to $8596 a month. I’ve started this job and I’ve never been happier and now I am sharing it with you, so you can try it too. You can check it out here…

  19. Google pay 97$ per hour my last pay check was $8500 working 1o hours a week online. My younger brother friend has been averaging 12k for months now and he works about 22 hours a week. I cant believe how easy it was once I tried it out.
    This is wha- I do…… ??????

  20. Encryption is a good start but will only serve to provide a false sense of security if not implemented correctly. Encryption relies on very large numbers, known as keys, No matter how strong the encryption the protection is minimal if the keys are easily compromised. I have noticed that even in the private sector people will use the largest (and thus “strongest”) key supported by their encryption technology but then fail to take even the most minimal steps to protect the keys, such as changing the default password on files that store the keys. This is very much like buying the most sophisticated locks for your front door and then keeping the key under the mat.

  21. Start making cash right now… Get more time with your family by doing jobs that only require for you to have a computer and an internet access and you can have that at your home. Start bringing up to $8596 a month. I’ve started this job and I’ve never been happier and now I am sharing it with you, so you can try it too. You can check it out here…

Please to post comments

Comments are closed.