Several federal agencies, including the U.S. Department of Housing and Urban Development (HUD), have failed to meet basic cybersecurity standards, putting the personal and financial information of millions of Americans at risk of theft, according to a bipartisan report from a U.S. Senate committee released Tuesday.
The 47-page report, “Federal Cybersecurity: America’s Data Still at Risk,” follows a 2019 report that found that eight federal agencies — the departments of State, Transportation, HUD, Agriculture, Health and Human Services, Education and the Social Security Administration — had systematically failed to comply with federal cybersecurity standards identified by the agencies’ inspectors general.
Two years later, only one — DHS — had “managed to employ an effective cybersecurity regime for 2020,” the report said. The other seven agencies had made “minimal improvements” and earned grades of C or D from the report, based on ratings from the agencies’ own inspectors general. DHS received the highest grade, a B. The agencies’ grade overall was a C-.
The report, from the Senate Committee on Homeland Security and Governmental Affairs, found that all eight agencies “had significant cyber security weaknesses.” This includes seven agencies that failed to protect personally identifiable information adequately, seven agencies that used legacy systems or applications no longer supported by the vendor with security updates, seven agencies that failed to maintain accurate and comprehensive information technology asset inventories, six agencies that operated systems without current authorizations to operate, and six agencies that failed to install security patches and other vulnerability remediation controls quickly, the report said.
HUD, which maintains at least a billion records containing Americans’ personal information such as names, addresses, incomes, and employment history, suffered from many of these shortcomings, according to the report. The agency has allowed “shadow IT” — hardware, software or cloud services used without the organization’s knowledge — to operate without approved authority. This means that the agency may not know a system exists until it is breached and cannot install security patches, leaving the agency vulnerable.
HUD also operates mostly on legacy systems, which are inefficient, costly to maintain and “increasingly difficult to secure,” the report said. The agency has also failed to inventory all of the systems containing HUD data, particularly web applications, and to implement multifactor authentication for HUD systems that store, process or transmit personally identifying information. Moreover, HUD did not maintain an inventory of the collection and use of such information and lacked awareness as to how much of this information was under its purview and where it was located.
The report comes as cybersecurity has become increasingly concerning both in the real estate industry and in broader society as a whole. The report noted that in the past two years, state-sponsored hackers from Russia and China have “perpetrated some of the largest and most-damaging cyber-attacks in our history.” This includes the breach known as SolarWinds, which allowed Russian cyber-spies to infiltrate nine federal agencies undetected for at least nine months.
The White House reported 30,819 information security incidents across the federal government in 2020, an 8 percent year-over-year increase, according to the report.
“From SolarWinds to recent ransomware attacks against critical infrastructure, it’s clear that cyberattacks are going to keep coming and it is unacceptable that our own federal agencies are not doing everything possible to safeguard America’s data,” said Senator Rob Portman (R-Ohio) in a statement. Portman is the committee’s ranking member and previously lead the creation of the 2019 report.
“This report shows a sustained failure to address cybersecurity vulnerabilities at our federal agencies, a failure that leaves national security and sensitive personal information open to theft and damage by increasingly sophisticated hackers. I am concerned that many of these vulnerabilities have been outstanding for the better part of a decade — the American people deserve better.
“In the coming months, I will be introducing legislation to address the recommendations raised in this report so that America’s data is protected. This report makes it clear that the Biden administration must also ensure there is a single point of accountability for federal cybersecurity to oversee the implementation of our recommendations and address these cybersecurity failures.”
Among other recommendations, the report called for “a centrally coordinated approach for government-wide cybersecurity to ensure accountability” with a main office responsible for coordinating with agencies to develop and implement a cybersecurity strategy for the federal government.
The report also recommended that the Office of Management and Budget (OMB) develop and require agencies to adopt “a risk-based budgeting model” for IT investments that would prioritize using funds on security weaknesses “most likely to be exploited by hostile actors.”