Alan W. Dowd is a Senior Fellow with the American Security Council Foundation, where he writes on the full range of topics relating to national defense, foreign policy and international security. Dowd’s commentaries and essays have appeared in Policy Review, Parameters, Military Officer, The American Legion Magazine, The Journal of Diplomacy and International Relations, The Claremont Review of Books, World Politics Review, The Wall Street Journal Europe, The Jerusalem Post, The Financial Times Deutschland, The Washington Times, The Baltimore Sun, The Washington Examiner, The Detroit News, The Sacramento Bee, The Vancouver Sun, The National Post, The Landing Zone, Current, The World & I, The American Enterprise, Fraser Forum, American Outlook, The American and the online editions of Weekly Standard, National Review and American Interest. Beyond his work in opinion journalism, Dowd has served as an adjunct professor and university lecturer; congressional aide; and administrator, researcher and writer at leading think tanks, including the Hudson Institute, Sagamore Institute and Fraser Institute. An award-winning writer, Dowd has been interviewed by Fox News Channel, Cox News Service, The Washington Times, The National Post, the Australian Broadcasting Corporation and numerous radio programs across North America. In addition, his work has been quoted by and/or reprinted in The Guardian, CBS News, BBC News and the Council on Foreign Relations. Dowd holds degrees from Butler University and Indiana University. Follow him at twitter.com/alanwdowd.

ASCF News

Scott Tilley is a Senior Fellow at the American Security Council Foundation, where he writes the “Technical Power” column, focusing on the societal and national security implications of advanced technology in cybersecurity, space, and foreign relations.

He is an emeritus professor at the Florida Institute of Technology. Previously, he was with the University of California, Riverside, Carnegie Mellon University’s Software Engineering Institute, and IBM. His research and teaching were in the areas of computer science, software & systems engineering, educational technology, the design of communication, and business information systems.

He is president and founder of the Center for Technology & Society, president and co-founder of Big Data Florida, past president of INCOSE Space Coast, and a Space Coast Writers’ Guild Fellow.

He has authored over 150 academic papers and has published 28 books (technical and non-technical), most recently Systems Analysis & Design (Cengage, 2020), SPACE (Anthology Alliance, 2019), and Technical Justice (CTS Press, 2019). He wrote the “Technology Today” column for FLORIDA TODAY from 2010 to 2018.

He is a popular public speaker, having delivered numerous keynote presentations and “Tech Talks” for a general audience. Recent examples include the role of big data in the space program, a four-part series on machine learning, and a four-part series on fake news.

He holds a Ph.D. in computer science from the University of Victoria (1995).

Contact him at stilley@cts.today.

Federal cybersecurity defenses not strong enough to protect American data, Senate report warns

Friday, August 6, 2021

Categories: ASCF News Cyber Security

Comments: 0

Source: https://www.cbsnews.com/news/federal-cybersecurity-defenses-american-data-at-risk-senate-report/

This May 4, 2021 file photo shows a sign outside the Robert F. Kennedy Department of Justice building in Washington. The Russian hackers behind the massive SolarWinds cyberespionage campaign broke into the email accounts some of the most prominent federal prosecutors’ offices around the country last year, the Department of Justice said Friday, July 30, 2021. PATRICK SEMANSKY/AP

Federal agencies responsible for safeguarding the security and personal data of millions of Americans have failed to implement basic defenses against cyberattacks, according to a report from Senate investigators released Tuesday. The agencies earned a C- report card for falling short of federally-mandated standards in the 47-page report by the Senate Homeland Security Committee.

The report also concluded that Americans' personal information remains at risk in the wake of a slew of high-profile cyber attacks and evaluated two years of inspector general reports.

The audit accuses eight critical agencies, including the Department of Homeland Security (DHS), the State Department and the Social Security Administration (SSA) of relying on outdated systems, ignoring mandatory security patches and failing to protect sensitive data such as names, date of birth, income, social security numbers and credit card numbers.

In 2020, the White House reported 30,819 information security incidents across the federal government— an 8% increase from 2019 – according to the report, which also evaluated the Department of Transportation (DOT), the Department of Housing and Urban Development (HUD), the Department of Agriculture (USDA), the Department of Health and Human Services (HHS) and the Department of Education.

According to the report, HUD's top watchdog found an "unauthorized 'shadow IT'" system on the agency's network that "existed without approved authorities to operate."

In a test of its cyber defenses, the State Department could not provide documents accounting for 60% of employees who had access to the agency's classified network. The report found the agency "left thousands of accounts active after an employee left the agency for extended periods of time on both its classified and unclassified networks."

The top watchdog at the Department of Education retrieved "hundreds of sensitive personally identifiable information files, including 200 credit card numbers without the agency detecting or blocking it."

At the Department of Transportation, the Inspector General had no record of nearly 15,000 IT assets owned by the department including, "7,231 mobile devices, 4,824 servers, and 2,880 workstations."

"All agencies failed to comply with statutory requirements to certify to Congress they have implemented certain key cybersecurity requirements including encryption of sensitive data, least privilege, and multi-factor authentication," said the report..

Tuesday's review outlines failures to comply with the Federal Information Security Modernization Act (FISMA) of 2014 and comes on the heels of two major security incidents breaching multiple federal agencies.

In April 2021, Chinese state-sponsored hackers breached five federal agencies through vulnerabilities in products from a popular, Utah-based software company, Pulse Connect Secure. Russian-linked criminals compromised nine federal agencies and 100 private sector groups through a supply-chain hack of Solarwinds, first discovered in December 2020.

"From SolarWinds to recent ransomware attacks against critical infrastructure, it's clear that cyberattacks are going to keep coming and it is unacceptable that our own federal agencies are not doing everything possible to safeguard America's data," Senator Rob Portman from Ohio said in a statement.

"This report shows a sustained failure to address cybersecurity vulnerabilities at our federal agencies, a failure that leaves national security and sensitive personal information open to theft and damage by increasingly sophisticated hackers," added Portman, the ranking member of the Senate Homeland Security Committee.. "I am concerned that many of these vulnerabilities have been outstanding for the better part of a decade."

The bipartisan report compiled by congressional investigators draws information from Inspector General reports issued by federal agencies' top watchdogs in fiscal year 2020. It follows the subcommittee's initial report in 2019 that evaluated the same eight agencies.

Since the 2019 audit, investigators found only the Department of Homeland Security (DHS) established an effective information security program. "Three agencies—the Department of Transportation (DOT), Department of Education, and Social Security Administration (SSA)—showed very little improvement since the Subcommittee's report in 2019," the report added.

Tuesday's evaluation also found that EINSTEIN, DHS's flagship cybersecurity program for federal agencies, suffers from "significant limitations in detecting and preventing intrusions."

Congressional investigators recommended an "update" to Einstein that justifies its cost. Authorization of the program with a price tag in the billions is set to expire in 2022.

The report also makes several suggestions aimed at boosting coordination, including a recommendation that the administration assign a primary office to develop and implement a cybersecurity strategy for the federal government.

"There isn't currently a single point of accountability, government-wide, for cybersecurity," a committee aide said. "Each agency is responsible for its own cybersecurity, but government-wide it's not clear who is responsible for coordinating the whole strategy."

Lawmakers have not collectively decided on who should quarterback the nation's cybersecurity, but cybersecurity experts have pointed to DHS' cyber arm launched in 2019. The Cybersecurity and Infrastructure Security Agency (CISA) is currently charged with disseminating actionable information to both the federal agencies and the private industry to attempt to prevent repeat cyber-attacks.

"Government-wide cybersecurity is highly federated," a committee aide said. "That federalization, that balkanization of cybersecurity across federal agencies has been a persistent problem. It's probably a large part of why we've seen such performance issues at each of these agencies."

Last month, the White House swore in its inaugural National Cyber Director. The expanded role building on the White House cybersecurity coordinator position eliminated under the Trump administration, was created as part of the most recent National Defense Authorization Act.

In his first public appearance, Director Chris Inglis said he plans to ensure digital infrastructure used by the 102 civilian components of the federal government have the "right technology [and] the right practices" to achieve "unity of effort and unity of purpose," at a virtual panel convened by the Atlantic Council, Monday.

Investigators also recommended that Congress update the Federal Information Security Modernization Act of 2014 "to reflect current cybersecurity best practices" and require federal agencies and contractors notify CISA of certain cyber incidents.

Senator Peters and Portman are working on legislation to update the now outdated cybersecurity standards, committee aides confirmed to reporters. "I think we're hopeful that we can get that done and introduced this Congress," an aide added.

Comments RSS feed for comments on this page

There are no comments yet. Be the first to add a comment by using the form below.

Search