On Feb. 4, the Senate Homeland Security and Governmental Affairs committee’s minority staff released a 19-page assessment titled “The Federal Government’s Track Record on Cybersecurity and Critical Infrastructure.” Retiring Sen. Tom Coburn, R-Okla., sponsored the assessment. The footnoted assessment draws on more than 40 agency audits and inspector general reviews.
Coburn’s short and readable document supports its high-tech horror story with vivid, near-slapstick examples of bonehead stupidity and reckless laziness magnified by supervisor irresponsibility and senior leader neglect.
Slapstick and bonehead by “The Three Stooges” is comedy. Persistent, uncorrected cybersecurity errors by agencies handling extremely sensitive information is a scandal with the potential for tragedy.
By reputation, the Nuclear Regulatory Commission is a tech-savvy organization. When President Gerald Ford signed the NRC’s authorizing legislation, he said that licensing and regulating the civilian use of nuclear materials is a complicated job with “special potential hazards.”
Nuclear reactors must be protected from earthquakes, terrorists and cyber attacks on the computers monitoring their output. However, investigators discovered that the NRC “stored sensitive cybersecurity details for nuclear (power) plants on an unprotected” computer. Storing security data for reactor computers on a non-secure computer is beyond bonehead. Moreover, the computer drive was “shared”; several offices could access the defenseless data. Cyberthieves and spies had multiple routes; lousy security in one office undermined tight security elsewhere. Ultimately, the report condemns the NRC’s information technology experts for “perceived ineptitude.”
On to money. Regulating and insuring the integrity of U.S. stock markets is a central function of the SEC. However, the SEC “routinely exposed extremely sensitive” New York Stock Exchange computer network data, including cybersecurity methods and procedures. The 2013 hack on Target stores compromised customer data and financially damaged the discount chain. The NYSE is a bigger target than Target. Hacking the Big Board wreaks global financial damage. Bonehead security sloppiness at the SEC, the NYSE’s chief government regulator and policeman, gave hackers and terrorists the inside skinny on the market’s IT defenses.
The report damns the U.S. Army Corps of Engineers. Hey, Corps’ IT security is much worse than my pun. In January 2013, hackers penetrated Corps’ computers, filching a “non-public database” with information on “the nation’s 85,000 dams.” The data included assessments of “each dam’s condition, potential for fatalities if breached, (its) location and nearest city.” If a dam’s condition report addresses detailed structural weaknesses, a terrorist can better estimate exactly how much explosive his bomb requires and where he should place the device.
These sensational examples of inexcusable IT malfeasance appear on the report’s introductory page. They reveal the compromise of sensitive regulatory data fundamental to each agency’s central regulatory mission. Though sensational, they are representative. Other agencies have similar horror stories, including the Department of Defense, Department of Energy, the IRS, NASA, the FDA and Homeland Security. Homeland Security has experienced numerous problems in its cyber security office and its component agencies. The IRS bleeds sensitive taxpayer information. It “fails to encrypt sensitive data” and does not “properly fix known vulnerabilities.”
Sophisticated hackers are a constant threat to everyone — individuals, private businesses and government agencies. However, IG investigators found that many government breaches involve exploiting “mundane weaknesses.” These include failure to install software patches and using weak passwords. Investigators often found passwords written on a worker’s desk right beside a classified computer.
The government has issued numerous directives. “The National Institute of Standards and Technology, the government’s official body for setting cybersecurity standards, has produced thousands of pages of precise guidance on every significant aspect of IT security. And yet agencies — even agencies with responsibilities for critical infrastructure or vast repositories of sensitive data — continue to leave themselves vulnerable, often by failing to take the most basic steps towards securing their systems and information.”
Lots of taxpayer money buys little cyber defense. Since 2006, the federal government has spent at least $65 billion on computer and network security.
That figure is an estimate and may not include all military and intelligence agency expenditures. Despite the big bucks, security management, meaning security oversight and leadership to insure oversight, is inconsistent. Sloppiness and boneheadedness undermine discipline and thoughtful vigilance.
This is a major national security scandal. Loose disks do sink ships. It is time for the boneheads to roll.
Austin Bay is a syndicated columnist.