'Significant breaches' show Obama failure on cyber-security, GOP senators say

Among the breaches listed by a Senate committee minority report were the thefts of a list of the weakest US dams and of cyber-security plans at nuclear power plants.

The Obama administration and federal agencies are failing to employ even basic cyber-security measures to keep the nation safe while spending billions on the issue, a new congressional report charges, citing a raft of “significant breaches” in cyber-security over the past years.

Among the breaches that the report said threatened critical US infrastructure were the thefts of a list of the weakest US dams and of the cyber-security plans at nuclear power plants.

Hackers also penetrated the New York Stock Exchange and even sent out a fraudulent presidential warning of zombie attacks (yes, zombie attacks) that was broadcast by TV stations in Michigan, Montana, and North Dakota, including an authoritative voice warning: “Do not attempt to approach or apprehend these bodies as they are considered extremely dangerous.”

It might have been funny if not for the larger implications, such as the potential for a real enemy to spoof a presidential message, cyber-security experts note.

But the zombie hack attack was not a rare event, according to the report by the Republican minority of the Senate Homeland Security and Governmental Affairs Committee. It's just one of many cyber-security failures across key federal agencies with oversight of financial markets, nuclear power, and dam sites to name a few.

“Weaknesses in the federal government’s own cyber-security have put at risk the electrical grid, our financial markets, our emergency response systems, and our citizens’ personal information,” said Sen. Tom Coburn (R) of Oklahoma, who oversaw development of the report, in a statement Tuesday.

Hackers have penetrated, taken control of, damaged, or stolen sensitive information from computer systems across the federal government including the Departments of Homeland Security, Justice, Defense, State, Labor, Energy, and Commerce, the report says. Now add NASA; the Environmental Protection Agency; the Federal Reserve; the Commodity Futures Trading Commission; the Food and Drug Administration; the National Weather Service, and others.

The report’s laundry list of cyber-missteps was culled from more than 40 audits, investigations, reviews by agency Inspectors General, the Government Accountability Office, and news reports. Even basic steps like stronger passwords or patching computers with updates could have fixed many vulnerabilities, it said.

“While politicians like to propose complex new regulations, massive new programs, and billions in new spending to improve cyber-security, there are very basic – and critically important – precautions that could protect our infrastructure and our citizens’ private information that we simply aren’t doing,” Senator Coburn said.

Cyber-security experts generally agree federal agencies are in need of vastly increased computer security funding and management attention.

“It’s a kind of cyber-threat amnesia that these agencies have,” says Bob Gourley, publisher of CTOLabs.com, a technical research service focused on federal cyber-security. “Each time there’s a major attack these agencies declare that it’s a “wake up call,” make some changes – and then forget about it. Does this mean its impossible and that we should just give up? No some folks are getting it right. The solution is education.”

But Congress bears responsibility, too, the experts note. For years Congress has struggled without success to pass updated cyber-security legislation that many say is desperately needed to protect US critical infrastructure.

James Lewis, a cyber-security expert at the Center for Strategic and International Studies in Washington, says the minority report’s laundry list of federal cyber failures could be interpreted as an “old canard that the government shouldn’t tell the private sector to secure its networks until its own networks are secure.”

While the Obama administration has argued for federal authority to mandate cyber-security performance standards to protect infrastructure like the US electric grid, the US Chamber of Commerce and its allies in Congress have bitterly resisted any such measures.

“It’s lobbyist logic, very flawed,” Dr. Lewis says. “It’s like saying the government shouldn’t set environmental rules until all agencies are perfect. Also, agencies have to report when they’re hacked. Companies don’t, so it’s a distorted picture.... I dare them to do a similar review of Fortune 500 companies.”

In fact, at least some federal agencies are doing cyber-security pretty well, according to Mr. Gourley, who says taking action on just four fronts identified recently by the Sans Institute would eliminate the lion’s share of cyber insecurity in government.

“It’s not that hard. But it takes time, attention, and some money to get the job done,” Gourley says. “Pockets in the government are doing it well. The Department of Defense and FBI, for instance. But I’m shocked at the number [of agencies] that aren’t. There are agencies not in that report that scare me their security is so poor.”