Chief information officers are so concerned with operating IT networks that they skimp on cybersecurity, according to a congressional investigation of multiple data breaches at the Health and Human Services Department.
The report, by Republicans on the House Committee on Energy and Commerce, concludes that agency lawyers, who are trained to minimize risks, would do a better job of safeguarding IT networks.
The committee launched the investigation in 2013 following a breach at the Food and Drug Administration. A low-level hacker bypassed an internal network’s security protocols. The FDA discovered the breach the same day, rendering it little more than a nuisance. But the incident raised broader concerns about IT security. As the committee continued its investigation, it found similar issues throughout HHS.
“What we found is alarming and unacceptable. At a time when sensitive information is held by so many in the public and private sectors, Americans should not have to worry that the U.S. government is left so vulnerable to attack. With the recent Office of Personnel Management attack serving as another example of how wrong things can go, this report pulls back the curtain and sheds light on serious deficiencies in HHS’s information security practices,” said Committee Chairman Fred Upton (R-Mich.) and Rep. Tim Murphy (R-Pa.) in a joint statement.
By law, chief information security officers (CISO) now are part of CIO offices. But the two roles have different priorities. CIOs want network operations to run smoothly. Security concerns — the purview of CISOs — may delay or slow down those operations.
When there is a conflict between the two, “operational needs are prioritized and security concerns downplayed, delayed or ignored,” the report said.
As proof, it cited incomplete security audits caused by operational concerns at two HHS components.
More and more companies, recognizing similar conflicts within their own organizations, have moved their chief security officers out of their CIO offices, the report said, citing a 2014 survey by ThreatTrack Security.
The committee recommended that HHS strip its CIOs of all security-related responsibilities. CISOs would move from the CIO offices to those of the general counsel.
“The placement of the CISO within the Office of the General or Chief Counsel specifically acknowledges that information security has evolved into a risk-management activity, traditionally the purview of the legal team,” it said.
Some of the other incidents examined by the committee took place at the Centers for Medicare and Medicaid Services, the National Institutes of Health, and the Substance Abuse and Mental Health Services Administration. In the latter case, a hacker compromised a SAMHSA website with advertisements for NFL jerseys and UGG boots.
“The diversity of the agencies, officials, network, technologies and exploits involved in these incidents suggest that no individual office or technology is to blame,” the report said. “Rather, there is a fundamental weakness within the information security programs in place at HHS and its operating divisions.”
Throughout, the report found that ill-prepared IT staff, coupled with firewalls between HHS and some of its contractors, created an environment that hackers could penetrate.
Staff errors enabled three of the breaches, according to the report. Two cases were attributed to misconfigurations. In the third, the IT staff failed to install a software patch deemed critical. Separately, IT security workers at one agency mistook a list of hacker aliases for security vulnerabilities.
HHS did not respond to a request for comment. A committee spokesperson said the panel has not settled on a plan of action.
“We look forward to working with HHS, FDA, NIH, and others to develop solutions to better protect this information. Unfortunately, the bar has been set low and we have nowhere to go but up,” Upton and Murphy said in their written statement.