It's almost a truism to state that government IT security is frequently lacking, but a new Senate subcommittee report has underscored just how severe the problem is. Investigators found that several federal agencies (including the State Department, Homeland Security and the Social Security Administration) didn't adequately protect personal data, and that six of them hadn't installed security patches in a "timely" fashion to close vulnerabilities. In some cases, these flaws had lasted for roughly a decade or more.
The departments of Agriculture, Health and Human Services, Homeland Security and Transportation all failed to tackle vulnerabilities identified over a decade earlier, for instance. The Social Security Administration's weak spots risked exposing the data of 60 million Americans. Several agencies didn't install patches properly for most or all of the past ten years. And the Education Department hasn't had a way to keep unauthorized devices off its network since 2011 -- it can limit access to 90 seconds, but that's more than enough time to insert malware or grab sensitive documents.
Just what happens next isn't certain. A source speaking to The Hill said the subcommittee didn't plan to hold hearings, but that Chairman Rob Portman would consider the findings when drafting any "legislative solutions." It might get fixed some day. Recommendations in the report would give chief information officers more power over security decisions, improve communication with agency leaders and require progress reports on fixing security flaws when defending a given department's budget. These aren't binding, though, and there's no concrete mechanism in place to implement those changes.
If there's any consolation, it's that the current administration wants to invest more in cybersecurity. There's a chance some of that money will go toward shoring up defenses. It's not likely to be a comprehensive fix, mind you. That suggests at least some of the shortcomings are likely to persist for a while.