A number of federal agencies are woefully unprepared for cyberattacks, while others "have not met the basic cybersecurity standards necessary to protect America's sensitive data," according to a report released Tuesday by the Senate committee overseeing homeland security.
The committee reviewed the annual audit findings from the internal watchdogs of eight federal agencies — the departments of Homeland Security, State, Transportation, Education, Housing and Urban Development, Agriculture, and Health and Human Services, along with the Social Security Administration — for fiscal year 2020.
The report, titled "Federal Cybersecurity: America's Data Still at Risk," determined that seven of the agencies have failed to comply with the Federal Information Security Modernization Act, which President Barack Obama signed in 2014 to help the government better confront an increase in attacks on departments and agencies. The report found that at least seven of the eight agencies still operated unsupported legacy systems that were vulnerable.
Sen. Gary Peters, D-Mich., chairman of the Homeland Security and Government Operations Committee, said in a statement that little appears to have changed since the committee released a report in 2019 on federal agency cybersecurity, which showed systemic failures at the eight agencies.
Peters also said that while funding from the American Rescue Plan, which President Joe Biden signed in March, has helped bolster cybersecurity at the federal level, there is more work to be done.
Overall, the report said, "it is clear that the data entrusted to these eight agencies remains at risk."
Federal agencies and American tech companies, such as Microsoft, have reported intrusions by hackers in Russia and China. A particularly widespread security issue centered on the Austin, Texas-based software provider SolarWinds, in which Russia-linked hackers exploited flaws to gain access to thousands of email accounts across at least 150 organizations, including the Agency for International Development and the Department of Homeland Security.
In May, a cyberattack forced a major oil pipeline run by a private company offline, with a criminal group in Russia believed to be responsible. (Moscow said it was not involved.)
"From SolarWinds to recent ransomware attacks against critical infrastructure, it's clear that cyberattacks are going to keep coming and it is unacceptable that our own federal agencies are not doing everything possible to safeguard America's data," Sen. Rob Portman, R-Ohio, the ranking member of the Homeland Security Committee, said in a statement.
The panel also handed out grades for overall cybersecurity practices to all the Cabinet departments and the largest independent federal agencies.
Of the eight agencies the report focused on, the departments of Housing and Urban Development, Agriculture, and Health and Human Services got C's. The departments of State, Transportation and Education and the Social Security Administration got D's. The Department of Homeland Security was given the highest score, a B.
The average grade of the large federal agencies was C-minus. The Environmental Protection Agency got a C, while NASA got a D.