While there are plenty of private companies that were compromised by the SolarWinds attack, more importantly, many federal government departments and agencies including Treasury, State, the Nuclear Management folks, the FAA and others were compromised and information was stolen.
Congress is getting into the act; we will see if anything positive happens or Congress loses interest.
The GAO, the agency that used to be called the General Accounting Office and is now called the Government Accountability Office, is required by law to report on all government agency cybersecurity every two years.
This year’s report is not pretty. Your tax dollars not working so well, I guess.
The GAO says that agencies have failed to implement 750 recommended changes from the last report. Including some that might have stopped the Russians from pulling off the SolarWinds attack.
In a hearing this week, the House Committee on Oversight and Reform members appeared to be concerned about deteriorating federal cybersecurity.
This should not really be much of a surprise to anyone. The last administration didn’t seem to care much about cyber and even when there were attacks, they didn’t do anything unless if happened to mesh with some other political agency (like beating up China. But not Russia.)
Here is how the Committee Chairwoman summed up the situation:
“The vulnerability of federal and private sector systems, including critical infrastructure of the nation’s energy, transportation, communications, and financial sector, is absolutely staggering.”
We almost saw thousands of people killed last month when a water treatment plant in Florida was attacked. It was pure dumb luck that the attack was detected. While that was not the feds, it is still government.
The GAO says that they have made 3,300 cybersecurity recommendations since 2010. About 800 have not been addressed.
I think the biggest problem is people.
During the last administration, cybersecurity people ran, not walked, away from government positions because they did not want to deal with the politics and the bureaucracy.
Those people will never come back. They are making way more money in the private sector – which is another problem.
An indication of the magnitude of the problem —
The White House’s September 2018 National Cyber Strategy and the National Security Council’s accompanying June 2019 Implementation Plan were criticized for being rudderless. The plan detailed 191 activities that federal entities are to undertake, but did not include goals and timelines for 46 of them, identify resources needed to execute 160 of them, or specify a process for monitoring progress.
Remember that the federal government collects more of your personal information than even Google does. Taxes, healthcare, social security wage information – all kinds of information. If their security practices are that bad, the likelihood of them keeping that information safe is, well, close to zero.
We will see if Congress does anything. Credit: The Record