GOP Report Stresses Gov't InfoSec FlawsDoes Study Politicize Cybersecurity in the U.S. Government?
Days before the Obama administration will release a framework aimed at securing the nation's critical infrastructure, Senate Republicans issued a report detailing vulnerabilities in federal IT, suggesting the White House get its own house in order before advising others.
The report from the Republican members of the Senate Homeland Security and Governmental Affairs Committee, titled The Federal Government's Track Record on Cybersecurity and Critical Infrastructure, says it's appropriate for the White House to see a federal role in protecting privately owned infrastructure that undergirds the nation's economy and society. "However, for the country's citizens and businesses to take the government's effort seriously, the federal government should address the immediate danger posed by the insecurity of its own critical networks," the report says.
The report did not specifically reference the cybersecurity framework, a government-business collaboration shepherded by the Commerce Department's National Institute of Standards and Technology, to guide infrastructure owners on establishing their own IT security programs. The framework is scheduled to be issued Feb. 13. But the ranking member on the committee, Sen. Tom Coburn of Oklahoma, alludes to administration initiatives aimed at the private sector.
"While politicians like to propose complex new regulations, massive new programs and billions in new spending to improve cybersecurity, there are very basic - and critically important - precautions that could protect our infrastructure and our citizens' private information that we simply aren't doing," Coburn says.
Jacob Olcott, a former Senate Commerce Committee counsel specializing in cybersecurity, says Coburn is absolutely right to examine government cybersecurity. "There's too little oversight today of this important issue," says Olcott, cybersecurity principal at Good Harbor Consulting. "But I would separate the very valid concerns about our government's own cybersecurity from the need to develop national policy on critical infrastructure protection. You can build a fence around your house and talk to your neighbor at the same time."
The Republicans didn't hold back on their critique of federal government IT security. The report points out that the federal government has spent at least $65 billion on securing its computers and networks since 2006 while NIST has produced thousands of pages of precise guidance on every significant aspect of IT security. "And yet agencies - even agencies with responsibilities for critical infrastructure or vast repositories of sensitive data - continue to leave themselves vulnerable, often by failing to take the most basic steps towards securing their systems and information," the report says.
Democrats on the Homeland Security and Governmental Affairs Committee were aware of the report, but did not review it before its publication. A spokesperson for Sen. Tom Carper, the Delaware Democrat who chairs the committee, downplays the significance of the GOP report, saying the report "appears to reiterate some well-known security challenges identified in previous inspector general reports."
Indeed, the report's authors say its findings are based on more than 40 government audits and investigations conducted by agencies' inspectors general, the Government Accountability Office and others.
Carper sees the GOP report as fodder to get Congress to reform the Federal Information Security Management Act, the nearly dozen-year-old law that governs federal government IT security.
Talks But No Action, Yet
Over the past year, Carper and Coburn have discussed ways to reform FISMA but to no avail. One holdup in reaching a compromise is the role DHS could perform on leading cybersecurity efforts among civilian agencies. President Obama and Senate Democrats see a strong role for DHS while some key Republicans don't want to grant Homeland Security authority over other agencies.
In the report, the Republicans advise fellow lawmakers in contemplating FISMA reform to evaluate how the law has fared over the past decade. "For one thing," the report says, "FISMA could benefit from reforms of its own. But more importantly, its history can hold clues to the federal government's ability to effectively mandate and enforce cybersecurity standards."
Cybersecurity policy expert Allan Friedman questions whether the Republican report is turning government security into a political dispute. "By using federal system security as a political tool, this report turns important questions, such as FISMA reform, into a hot-button political issue rather than an important questions of governance, risk management and compliance," says Friedman, a visiting scholar at George Washington University's Cybersecurity Policy Research Institute who coauthored the book "Cybersecurity and Cyberwar: What Everyone Needs to Know".
Friedman says both political parties have been reluctant to pass a low-hanging-fruits cybersecurity bill, with simple, bipartisan provisions such as education and research funding as well as the much needed overhaul of FISMA. "By drawing analogies between the flaws of a 12-year-old law and the administration's current policy, this approach can threaten the progress of essential reforms," he says.
Detailing Significant Breaches
Republicans on the committee say they've seen significant breaches in cybersecurity that could affect critical U.S. infrastructure. Here are examples of vulnerabilities that appear in the report:
- The Nuclear Regulatory Commission stored sensitive cybersecurity details for nuclear plants on an unprotected shared drive, making them more vulnerable to hackers and cyber thieves.
- The Securities and Exchange Commission routinely exposed extremely sensitive data about the computer networks supporting the New York Stock Exchange, including NYSE's cybersecurity measures. The information the SEC exposed reportedly could be extremely useful to a hacker or terrorist who wanted to penetrate the market's defenses and attack its systems.
- Hackers gained access to U.S. Army Corps of Engineers computers and downloaded an entire non-public database of information about the nation's 85,000 dams, including sensitive information about each dam's condition, the potential for fatalities if breached, location and nearest city.
- Hackers exploited a vulnerability on web servers belonging to NIST that hosted the federal government's database of known software vulnerabilities, causing NIST to take the servers out of service for several days.
The report also says hackers have penetrated systems operated by DHS and the departments of Justice, Defense, State, Labor, Energy and Commerce as well as NASA, the Environmental Protection Agency, Office of Personal Management, Federal Reserve, Commodity Futures Trading Commission, Food and Drug Administration, Copyright Office and National Weather Service.
Invisible Hacks Aplenty
"These are just hacks whose details became known to the public, often because the hackers themselves announced their exploits," the report says. "Largely invisible to the public and policymakers are over 48,000 other cyber-incidents involving government systems which agencies detected and reported to DHS in FY 2012. And one cannot ignore the universe of other intrusions that agencies could not detect: civilian agencies don't detect roughly four in 10 intrusions."
Acknowledging that federal agencies face cybersecurity challenges, a White House spokeswoman responding to the report says cybersecurity remains a top administration policy. "As we have seen in the private sector, cyberthreats evolve every day, and our mission is to stay ever vigilant and to stay ahead of the threats by identifying and mitigating them and by continually improving our efforts," spokeswoman Laura Lucas Magnuson says.
A spokesperson for the Department of Homeland Security, which the administration has charged with helping other civilian agencies secure their IT, defends its efforts over the past five years to strengthen government IT security and reduce risks. DHS spokesperson S.Y. Lee specifically points to the department's continuous diagnostic and mitigation program, which identifies systems vulnerabilities and helps agencies acquire tools to fix the most serious problems (see Feds Tackle Continuous Monitoring).