The State Department and 3 other US agencies earn a D for cybersecurity

Eight federal agencies are so insecure that four earned D grades, three received Cs and one got a B in a Tuesday report by the US Senate Committee.The 47-page report said that it was clear that data entrusted by these eight agencies is at risk. The hackers, state-sponsored or not, are becoming more sophisticated and persistent. Congress and the executive cannot allow PII to remain vulnerable.Two years ago, the Senate Committee on Homeland Security and Governmental Affairs released a report that found systemic violations by eight federal agencies of federal cybersecurity standards. In the previous report, it was found that agencies failed to adequately protect personally identifiable information during the period 2008-2018. They also failed to maintain a complete list of all software and hardware used by agency networks. And they did not timely install vendor-supplied security patches.The 2019 report highlighted the fact that legacy systems were expensive to maintain and difficult to secure. The eight agencies, including the Social Security Administration and Departments of Homeland Security, State, Transportation, Housing and Urban Development, failed to secure sensitive information they held or maintained.Tuesday's report, Federal Cybersecurity: Americas data Still at Risk, examined security practices of the same agencies in 2020. The report found that only one agency received a grade B for cybersecurity practices in the past year.The authors stated that the report is quite shocking. The same problems that plague Federal agencies for over a decade were identified by inspectors general. Seven agencies showed little improvement, while only DHS was able to implement a comprehensive cybersecurity program for 2020. This report shows that seven Federal agencies have not met basic cybersecurity standards to protect America's sensitive data.AdvertisementThese grades were assigned by the authors:Department of State D Department of Transportation D Department of Education D Social Security Administration D Department of Agriculture C Department of Health and Human Services C Department of Housing and Urban Development C Department of Homeland SecurityAuditors discovered that State Department systems often operated without authorizations, used outdated software (including Microsoft Windows), and did not install security patches promptly.Particular criticism was levelled at the department's user management system because officials could not provide documentation on user access agreements for 60 per cent of employees who had access to the classified network.The auditors wrote:The network includes data that, if revealed to an unauthorized individual could cause serious damage to national security. Even more concerning is the failure of State to close thousands of accounts that remained inactive for extended periods on its classified and sensitive networks. The Inspector General stated that some accounts remained active for as long as 152 consecutive days after employees retired, quit, or were fired. These credentials could be used by hackers or former employees to gain access to classified and sensitive information about the United States. They can also appear to be authorized users. The risk of unauthorized access to sensitive information is greatly increased if this category is not resolved, according to the Inspector General.The Social Security Administration suffered many of these same flaws, including a lack in authorization for many systems, unsupported system use, failure to compile an accurate and comprehensive IT asset inventory, and failure to provide adequate protection for PII.The report linked earlier contains details about other departments.This report is seven months following the discovery of a supply-chain attack that compromised nine federal agencies as well as about 100 private businesses. Hackers working for the Chinese government broke into multiple federal agencies using vulnerabilities in the Pulse Secure VPN.The White House reported 30,819 incidents involving information security across the federal government for 2020. This is an 8 percent increase over the previous year.