Investigation finds federal agencies failed to address cyber vulnerabilities

Several federal agencies failed to update system vulnerabilities over the course of the last two administrations and left Americans’ personal information open and vulnerable to theft, a report released Tuesday by the Senate Homeland Security and Governmental Affairs Subcommittee on Investigations found.

TheĀ report, spearheaded by subcommittee Chairman Rob Portman (R-Ohio) and ranking member Tom Carper (D-Del.) and put together after a 10-month investigation, reviewed data compiled over the last decade by the inspector general on federal information security standards for eight agencies.

These agencies were the departments of State, Homeland Security, Health and Human Services, Transportation, Education, Agriculture, and Housing and Urban Development, as well as the Social Security Administration.

Of these agencies, the report found that seven had failed to provide adequate protection for personal information in their systems and that six of the agencies had not installed system patches in a timely way to protect against cyber vulnerabilities. All eight agencies were found to use “legacy systems,” or those not supported by the original manufacturer anymore, resulting in further cyber vulnerabilities.

Specific agency findings included that Homeland Security, Transportation, Agriculture, and Health and Human Services failed to address some cybersecurity weaknesses identified by the inspector general over a decade ago, while the Social Security Administration was found to have severe cybersecurity vulnerabilities that risked the exposure of the personal information of more than 60 million Americans who receive Social Security benefits.

Another major security flaw found by the investigation was that the Education Department has been consistently unable to prevent unauthorized devices from connecting to its network since 2011. While the agency has limited this access to under 90 seconds, the inspector general reported that this was enough time for a malicious actor to launch an attack.