But those being attacked are doing very little to protect themselves, according to the results of a 10-month Senate investigation of eight federal agencies.
The Senate Permanent Subcommittee on Investigations, chaired by Sen. Rob Portman, R-Ohio, found that the Departments of Homeland Security — the agency tasked with fighting cyberattacks — and seven other agencies have failed to address the vulnerabilities in their IT infrastructure, leaving themselves susceptible to cyberattack and Americans' personal information vulnerable to theft.
Problems range from systems so antiquated they can't be updated with new security patches to agencies that year after year fail to protect the personal information of millions of Americans.
The subcommittee studied 10 years' worth of government agency audits of the IT systems of Homeland Security, State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services, Education and Social Security Administration.
Their investigation comes after a surge in data breaches in the federal government with agencies, including the U.S. Postal Service, the Internal Revenue Service and the White House, reporting attacks.
In 2015, for example, a hacker broke into government databases to gain access to 22 million security clearance files from the Office of Personnel Management.
In 2017 alone, meanwhile, federal agencies reported 35,277 cyberincidents.
Federal agencies often have access to sensitive information because of the nature of what they do.
The Department of Education collects financial data on students and parents applying for college loans.
Disabled Americans must provide years of health records documenting medical records to prove they are entitled to disability benefits from the Social Security Administration.
And homeowners must provide payroll and savings information to the Department of Housing and Urban Development to qualify for home loans.
Congress tasked agencies with securing their IT networks as far back as 2002, and asked each agency's inspector general to audit compliance with basic cybersecurity standards annually.
But the subcommittee found most of the agencies studied were failing to comply with even the most basic standards, including properly protecting personally identifiable information.
Five agencies did not maintain a comprehensive and accurate list of information technology assets, meaning they had no idea which applications were operating on its networks.
All eight agencies failed to install security patches and other updates to prevent their systems from being vulnerable to attack.
In the most recent audits, seven of the eight agencies failed to provide for the adequate protection of personally-identifiable information.
And all of the agencies used legacy systems that were so old that vendors no longer support or issue updates to patch cybersecurity vulnerabilities.
Homeland Security, for example, uses Windows 2003 on some of its systems.
The setup used by Housing and Urban Development to initiate and track loan case numbers and associated data, meanwhile, is so old that lenders are unable to submit loan applications electronically and must instead send hard copies through the mail. And Social Security's system to hold retirement and disability information on millions of Americans in some cases uses a programming language developed in the 1950s and 1960s — a language that will become increasingly obsolete as the IT professionals who know the coding language retire.
Some of the agencies are particularly susceptible to attack. The Department of Education, for example, has been unable to prevent unauthorized outside devices from easily connecting to the agency's network since 2011.
In its 2018 audit, that department's inspector general found it had been able to restrict unauthorized access to 90 seconds — still enough time for a hacker to "launch an attack or gain intermittent access to internal network resources that could lead to" exposing the agency's data.
Education holds personally identifiable information on millions of Americans.
Portman said federal agencies "have failed at implementing basic cybersecurity practices, leaving classified, personal and sensitive information unsafe and vulnerable to theft."
"The federal government can, and must, do a better job of shoring up our defenses against the rising cybersecurity threats," he said.
The report makes a list of recommendations aimed at securing government IT systems. Among them: that federal agencies consolidate security processes and capabilities in order to better detect cybersecurity incidents and that each agency gives broader authority and latitude toward their chief information officer the authority to make organization-wide decisions regarding cybersecurity.
Sen. Tom Carper, D-Del., the ranking member of the subcommittee, said the Office of Management and Budget — the agency responsible for cybersecurity efforts across government — "must provide the necessary leadership to ensure that agencies are staying vigilant and prioritizing good cybersecurity practices."
"We know that the threats posed by cyberattacks continue to evolve and grow every day, so it is crucial that agencies across our government prioritize efforts to better protect their networks from hackers," he said.
©2019 The Repository, Canton, Ohio. Distributed by Tribune Content Agency, LLC.
