The US Government is a privileged target for cybercriminals, state-sponsored hackers and hacktivists, for years now, officials and politicians have warned of the risks related to a cyber attack.
Leon Panetta, former Director of the Central Intelligence Agency, warned in many cases on the possibility of a huge cyber attacks against US critical infrastructure and networks, US Intelligence has confirmed the concerns in his last report on principal threats to Homeland Security.
The Government of Washington has replied to the warning, increasing the cyber security budgets amongst US government agencies despite the numerous cuts to military caused by the global economic crisis.
A recent report published by The Federal Government’s Track Record on Cybersecurity and Critical Infrastructure, provides a scaring picture on the nation’s defense situation.
Over 48,000 successfully cyber attacks breached the US defense, they were caused by the failure to employ very basic security measures, weak passwords, unpatched software and inadequate controls are the principal causes of the incidents observed to US government infrastructure reporting to the Department of Homeland Security.
The report is related to the incidents occurred during the 2012 financial year, the human factor is the weakest link of security chain, in many cases the personnel of the US Government Office is not sufficiently aware of principal cyber threats.
“None of the other agencies want to listen to Homeland Security when they aren’t taking care of their own systems. They aren’t even doing the simple stuff.” said Senator Tom Coburn, the ranking Republican on the committee.
Coburn also revealed that the level of pay offered by the US Government to the employees is too low to motivate talented professional to join to the internal agencies.
The total amount of expenses for cybersecurity for the those incidents since 2006 is nearly $65 billion, but high-profile agencies still not follows good security practice.
“Since 2006, the federal government has spent at least $65 billion on securing its computers and networks, according to an estimate by the Congressional Research Service. The National Institute of Standards and Technology (NIST), the government official body for setting cybersecurity standards, has produced thousands of pages of precise guidance on every significant aspect of IT security. And yet agencies — even agencies with responsibilities for critical infrastructure, or vast repositories of sensitive data — continue to leave themselves vulnerable, often by failing to take the most basic steps towards securing their systems and information”
Let’s consider the data related to evaluation of systems tt the Department of Homeland Security, there were found “hundreds of vulnerabilities on the DHS cyber team’s systems, including failures to update basic software like Microsoft applications, Adobe Acrobat and Java, the sort of basic security measure just about any American with a computer has performed.”
The report documented another concerning problem, also physical security of US Government infrastructures is not sufficient, internal inspections found handwritten notes containing passwords and other sensitive information unattended left on desks. The situation is quite similar for many Agencies and Offices. Within The Nuclear Regulatory Commission (NRC), which is the entity which maintains sensitive documentation on nuclear facilities including the design and security plans of every nuclear reactor, waste storage facility, and uranium processing facility in the United States, data was shared on an unsecured drive and personnel bypassed controls using their own devices at workplace. One of the main problem is related to the patch management process, vulnerable programs and systems resulted unpatched for a long time enlarging the windows of exposure for US networks.
The report is full of obscenities under security perspective, computers were running software with unpatched critical vulnerabilities, internal employees were transmitting sensitive financial information between their personal email accounts, confidential data were archived in unencrypted laptops in violation of the SEC’s own policies, the same laptops were also lacked any kind of defensive software.
I suggest you to read the report, its findings are unbelievable considering the high-sensitive offices and organization involveld … let’s hope agencies will read it too.