Federal Cybersecurity: Not Even Good Enough for Government Work

"You failed," said Rep. Jason Chaffetz (R-Utah), chairman of the House Oversight and Government Reform Committee. "You failed utterly and totally." The congressman was addressing federal officials at a hearing on the massive hack of the Office of Personnel Management (OPM). On June 4, the agency had revealed that hackers (most likely backed by the Chinese government) had ransacked its computers for months, stealing the personally identifiable information of between 4 million to 18 million federal government applicants and employees. The records taken included security clearance data in which employees revealed, among other things, their sexual transgressions, drug use, mental problems, and relatives living abroad. This may allow foreign agents to blackmail federal workers with access to sensitive information.

The federal government's vulnerability to hacking was well-known prior to this colossal cybersecurity failure. In February 2013, President Obama issued an executive order directing the U.S. attorney general, the secretary of homeland security, and the director of national intelligence to establish a national Cybersecurity Framework to protect critical infrastructure from cyberattacks. The minority staff of the Homeland Security and Governmental Affairs Committee issued a report in February 2014 detailing the manifold breakdowns of cybersecurity at numerous agencies. Federal information technology security remained weak even though the government had spent $65 billion on it since 2006. The Senate report found that, for example, the Department of Homeland Security (DHS) had failed to implement comprehensively even the most mundane security measures, such as routinely installing software updates and security patches, using strong passwords, updating anti-virus software, and fixing known vulnerabilities on DHS websites that "could allow a hacker to hijack user accounts, execute malicious scripts, or access sensitive information."

In April, Gregory Wilshusen, director of information security issues at the Government Accountability Office (GAO), testified that "19 of 24 major federal agencies reported that deficiencies in information security controls constituted either a material weakness or significant deficiency in internal controls over their financial reporting." He noted that the number of information security incidents reported to the U.S. Computer Emergency Readiness Team had more than doubled from 30,000 in 2009 to more 67,000 in 2014. The number of federal data breaches involving personally identifiable information had also more than doubled, from 10,481 in 2009 to 27,624 in 2014.

While the federal government is terrible at cybersecurity, the successful hacks into Target, Sony, JPMorgan Chase, and Anthem show that private sector companies are also vulnerable. In its 2013 Privatization Report, the Reason Foundation—the organization that publishes this website—argued nevertheless that because their assets, property, competitiveness and reputation are on the line when it comes to information security, private businesses have a much stronger motivation to protect their data and communications than do government agencies. And sure enough, of all the sectors of the U.S. economy, the federal government is dead last when it comes to cybersecurity, according the software security firm Veracode. In its new State of Software Security Report, the company benchmarks software security against the top 10 list of vulnerabilities identified by the Open Web Application Security Project. The company reports that "only 27 percent of identified vulnerabilities in government applications get remediated," leaving agencies open to just the sort of data breach that occurred at the OPM.

So what to do? First, the feds should make encryption of their databases and communications pervasive. As Bruce Schneier, a security expert with the Berkman Center at Harvard, points out, encryption "protects our data from criminals. It protects it from competitors, neighbors, and family members. It protects it from malicious attackers, and it protects it from accidents." Consequently, encryption should be ubiquitous and automatic, enabled for everything by default. This would also have the advantage of inhibiting domestic spying by government agencies.

The private sector is gradually taking Schneier's advice. An April survey of businesses conducted by Thales e-Security found that 36 percent are now implementing an enterprise-wide encryption strategy, up from 15 percent only 10 years ago.

Government agencies should also at long last adopt the mandatory personal identity verification standards that the DHS ordered in 2004. These credentials involve, among other things, issuing "smart cards" to government workers that give them access to agency information technologies. According to the GAO, as of February only 41 percent of percent of federal agency user accounts required such cards. 

Finally, the managers responsible for federal cybersecurity need to get fired for incompetence. "No one is ever held accountable," James Lewis pointed out to the Associated Press this week. Lewis, a cybersecurity expert at the Center for Strategic and International Studies, noted that the CEO of Target resigned over that company's data breach. The government's cyberdebacles, meanwhile, have been "penalty free," suggesting that "senior leadership doesn't really care about this."

On Thursday, Sen. Ron Johnson (R.-Wisc.) called federal cybersecurity efforts "grossly inadequate." He added that "agencies are concentrating their resources trying to dictate cybersecurity requirements for private companies, which in many cases are implementing cybersecurity better and more cheaply." Perhaps the feds should get their own house in order before trying to tell others how to protect themselves.