This photo taken on August 4, 2020 shows Prince, a member of the hacking group Red Hacker Alliance who refused to give his real name, using his computer at their office in Dongguan, China's southern Guangdong province. - From a small, dingy office tucked away in an industrial city in southern China, one of China's last "volunteer hacker" groups maintains a final outpost in its patriotic hacking war. (Photo by NICOLAS ASFOURI / AFP) / TO GO WITH China-hacking-security,FOCUS by Laurie Chen / The erroneous mention[s] appearing in the metadata of this photo by NICOLAS ASFOURI has been modified in AFP systems in the following, we removed the HOLD HOLD HOLD in the main caption. Please immediately remove the erroneous mention[s] from all your online services and delete it (them) from your servers. If you have been authorized by AFP to distribute it (them) to third parties, please ensure that the same actions are carried out by them. Failure to promptly comply with these instructions will entail liability on your part for any continued or post notification usage. Therefore we thank you very much for all your attention and prompt action. We are sorry for the inconvenience this notification may cause and remain at your disposal for any further information you may require. (Photo by NICOLAS ASFOURI/AFP via Getty Images)
Video Ad Feedback
US blames China for hacks, opening new front in cyber offensive
03:50 - Source: CNN
Washington CNN  — 

Key agencies across the federal government continue to fail meet basic cybersecurity standards, according to a new Senate report released Tuesday, which found systematic failures to safeguard data.

Amid a rise of state-sponsored hacks and ransomware cybersecurity incidents, seven agencies were found to have failed at effectively securing data, the report concluded, resulting in an average grade of C- for the large federal agencies.

Only the Department of Homeland Security had an effective cybersecurity program for 2020, according to the report. “[E]very other agency failed to implement an effective cybersecurity program,” it said.

The shortcomings at the federal agencies compromise national security and can allow cybercriminals to access personal information, concluded the senators who issued the staff report – Rob Portman, a Republican from Ohio, and Gary Peters a Democrat from Michigan, who lead the Senate Homeland Security and Governmental Affairs Committee.

While the average grade of the large federal agencies’ overall information security maturity was a C-, the Departments of State, Commerce, Education, Transportation and Veterans Affairs all scored lower than that with D grades.

In an aerial view, fuel holding tanks are seen at Colonial Pipeline's Dorsey Junction Station on May 13, 2021 in Woodbine, Maryland.
In an aerial view, fuel holding tanks are seen at Colonial Pipeline's Dorsey Junction Station on May 13, 2021 in Woodbine, Maryland.
Drew Angerer/Getty Images

Related article Critical pipelines have reported more than 220 cyber incidents since May TSA directive

The federal cybersecurity report was a follow-up to a 2019 review of eight agencies – the Department of Homeland Security; the Department of State; the Department of Transportation; the Department of Housing and Urban Development; the Department of Agriculture; the Department of Health and Human Services; the Department of Education; and the Social Security Administration.

Although DHS had an effective cybersecurity program in 2020, the department had other issues. Its Inspector General failed to submit its annual evaluation to Congress prior to this report’s release.

And the department’s flagship cybersecurity program for federal agencies, known as EINSTEIN, “suffers from significant limitations in detecting and preventing intrusions,” concluded the Senate report.

The program is intended to detect and block cyberattacks from compromising federal agencies, as well as provide DHS with threat information to help protect other agencies and the private sector.

The report recommended that DHS provide Congress with a plan to update EINSTEIN and to justify its cost.

There are a range of issues at the agencies uncovered in the report, including failures to protect personally identifiable information adequately, to maintain accurate and comprehensive IT asset inventories, and to retire legacy technology no longer supported by the vendor.

For example, six agencies failed to install security patches and other vulnerability remediation controls quickly. Seven agencies used legacy systems or applications no longer supported by the vendor with security updates.

WASHINGTON, DC - JUNE 25: U.S. President Joe Biden delivers remarks during an event commemorating LGBTQ+ Pride Month in the East Room of the White House on June 25, 2021 in Washington, DC. Biden celebrated the accomplishments of past and present LGBTQ+ public service leaders and said there was still more work to be done. (Photo by Chip Somodevilla/Getty Images)
WASHINGTON, DC - JUNE 25: U.S. President Joe Biden delivers remarks during an event commemorating LGBTQ+ Pride Month in the East Room of the White House on June 25, 2021 in Washington, DC. Biden celebrated the accomplishments of past and present LGBTQ+ public service leaders and said there was still more work to be done. (Photo by Chip Somodevilla/Getty Images)
Chip Somodevilla/Getty Images

Related article Biden addresses intelligence community for first time as President

During one exercise, hundreds of documents with personal information, including 200 credit card numbers, were accessed by investigators without the Department of Education’s IT staff noticing.

“From SolarWinds to recent ransomware attacks against critical infrastructure, it’s clear that cyberattacks are going to keep coming and it is unacceptable that our own federal agencies are not doing everything possible to safeguard America’s data,” Portman said in a statement.

The failures to address cybersecurity vulnerabilities at US federal agencies, “leaves national security and sensitive personal information open to theft and damage by increasingly sophisticated hackers,” he added.

Portman said, in the coming months, he plans to introduce legislation to address the recommendations raised in the report.

Portman and Peters also concluded that there is no single point of accountability for federal cybersecurity.

Cybersecurity responsibilities are “highly federated, making government-wide information security improvements difficult,” according to the Senators.

The federal government also lacks a unified cybersecurity strategy to combat the current threat landscape, they said.