'Significant breaches' show Obama failure on cyber-security, GOP senators say

Among the breaches listed by a Senate committee minority report were the thefts of a list of the weakest US dams and of cyber-security plans at nuclear power plants.

Lawrence Jackson/AP/File
Sen. Tom Coburn (R) of Oklahoma, seen here at a Senate Homeland Security subcommittee meeting in 2006, oversaw development of a report that says many federal agencies are failing to employ even basic cyber-security measures, despite spending billions on the issue.

The Obama administration and federal agencies are failing to employ even basic cyber-security measures to keep the nation safe while spending billions on the issue, a new congressional report charges, citing a raft of “significant breaches” in cyber-security over the past years.

Among the breaches that the report said threatened critical US infrastructure were the thefts of a list of the weakest US dams and of the cyber-security plans at nuclear power plants.

Hackers also penetrated the New York Stock Exchange and even sent out a fraudulent presidential warning of zombie attacks (yes, zombie attacks) that was broadcast by TV stations in Michigan, Montana, and North Dakota, including an authoritative voice warning: “Do not attempt to approach or apprehend these bodies as they are considered extremely dangerous.”

It might have been funny if not for the larger implications, such as the potential for a real enemy to spoof a presidential message, cyber-security experts note.

But the zombie hack attack was not a rare event, according to the report by the Republican minority of the Senate Homeland Security and Governmental Affairs Committee. It's just one of many cyber-security failures across key federal agencies with oversight of financial markets, nuclear power, and dam sites to name a few.

“Weaknesses in the federal government’s own cyber-security have put at risk the electrical grid, our financial markets, our emergency response systems, and our citizens’ personal information,” said Sen. Tom Coburn (R) of Oklahoma, who oversaw development of the report, in a statement Tuesday.

Hackers have penetrated, taken control of, damaged, or stolen sensitive information from computer systems across the federal government including the Departments of Homeland Security, Justice, Defense, State, Labor, Energy, and Commerce, the report says. Now add NASA; the Environmental Protection Agency; the Federal Reserve; the Commodity Futures Trading Commission; the Food and Drug Administration; the National Weather Service, and others.

The report’s laundry list of cyber-missteps was culled from more than 40 audits, investigations, reviews by agency Inspectors General, the Government Accountability Office, and news reports. Even basic steps like stronger passwords or patching computers with updates could have fixed many vulnerabilities, it said.

“While politicians like to propose complex new regulations, massive new programs, and billions in new spending to improve cyber-security, there are very basic – and critically important – precautions that could protect our infrastructure and our citizens’ private information that we simply aren’t doing,” Senator Coburn said.

Cyber-security experts generally agree federal agencies are in need of vastly increased computer security funding and management attention.

“It’s a kind of cyber-threat amnesia that these agencies have,” says Bob Gourley, publisher of CTOLabs.com, a technical research service focused on federal cyber-security. “Each time there’s a major attack these agencies declare that it’s a “wake up call,” make some changes – and then forget about it. Does this mean its impossible and that we should just give up? No some folks are getting it right. The solution is education.”

But Congress bears responsibility, too, the experts note. For years Congress has struggled without success to pass updated cyber-security legislation that many say is desperately needed to protect US critical infrastructure.

James Lewis, a cyber-security expert at the Center for Strategic and International Studies in Washington, says the minority report’s laundry list of federal cyber failures could be interpreted as an “old canard that the government shouldn’t tell the private sector to secure its networks until its own networks are secure.”

While the Obama administration has argued for federal authority to mandate cyber-security performance standards to protect infrastructure like the US electric grid, the US Chamber of Commerce and its allies in Congress have bitterly resisted any such measures.

“It’s lobbyist logic, very flawed,” Dr. Lewis says. “It’s like saying the government shouldn’t set environmental rules until all agencies are perfect. Also, agencies have to report when they’re hacked. Companies don’t, so it’s a distorted picture.... I dare them to do a similar review of Fortune 500 companies.”

In fact, at least some federal agencies are doing cyber-security pretty well, according to Mr. Gourley, who says taking action on just four fronts identified recently by the Sans Institute would eliminate the lion’s share of cyber insecurity in government.

“It’s not that hard. But it takes time, attention, and some money to get the job done,” Gourley says. “Pockets in the government are doing it well. The Department of Defense and FBI, for instance. But I’m shocked at the number [of agencies] that aren’t. There are agencies not in that report that scare me their security is so poor.”

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.