What about those seven departments who remain lax in cybersecurity controls?

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Senate Homeland Security and Governmental Affairs Committee has cited seven federal departments, including Health and Human Services and the Social Security Administration, for failing to establish minimum cybersecurity controls, and for not protecting personally identifiable information. For analysis,  Federal Drive with Tom Temin spoke with senior fellow at the Center for Growth and Opportunity at Utah...


Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Senate Homeland Security and Governmental Affairs Committee has cited seven federal departments, including Health and Human Services and the Social Security Administration, for failing to establish minimum cybersecurity controls, and for not protecting personally identifiable information. For analysis,  Federal Drive with Tom Temin spoke with senior fellow at the Center for Growth and Opportunity at Utah State University Will Rinehart.

Interview transcript:

Tom Temin: What do you make of this report? It’s a follow-on from what the same committee looked at two years ago, and everybody’s kind of in the same boat with the exception of the Homeland Security Department.

Will Rinehart: Yeah, exactly. With the exception of DHS, it seems that everyone’s in kind of a bad position yet again. So in 2019, there was a push – and really this goes back to 2016, 2015 – to ensure that the data is secured, and to ensure that these big government agencies which have and collect a lot of personally identifiable information on individuals, that they have the best security possible, that they’re doing all the things that they should be doing to ensure that Americans data is secured. It seems that a lot of agencies, unfortunately, are not up to snuff on this one.

Tom Temin: And you’ve been following this issue for quite some time now. And the study cited the fact that they were not up to all of the Federal Information Security Management Act (FISMA) controls. But if an agency is fully compliant with everything FISMA demands, that doesn’t necessarily make it totally cybersecurity.

Will Rinehart: No, I don’t think that we should think that anything is able to be completely secure. This is unfortunately, a constant cat-and-mouse game where bad actors, to be very blunt hackers and people who are nefarious state actors, are trying to access information that these large agencies obviously have. So this back and forth is constantly going to occur, unfortunately. And regardless of what these agencies end up doing, and honestly, they really do need to be compliant, and they need to do a better job of securing this information. But in spite of that, the real problem is that we’re seeing kind of a ramp up in the war. And it’s just going to be very, very difficult for these government agencies, as well as private actors, and even individuals to secure their data and to make sure that they aren’t hacked and that most important data isn’t taken from them.

Tom Temin: The report cites that a couple of years ago, six of the agencies did not have their patches in place, which is about as basic a cybersecurity control as you can get. And all of the eight at that time, which then included Homeland Security, they use software that was no longer supported by the vendor, therefore, there were no patches being issued for it. So as time goes on, it decays and gets more and more vulnerable. What is the essential issue for agencies that are still not with those basic controls?

Will Rinehart: To be very honest, it’s really difficult to maintain the softwares and maintain these code bases once they’re put into place. And so a big part of this is ensuring that you have up-to-date information that’s – up-to-date patches, that’s obviously very, very key. But you also have to have the extra support that goes along with that. And so a lot of the large tech companies, for all of their problems, are very good about constantly maintaining their code base and their data. They spend a lot of money and effort and human effort, labor in order to constantly upgrade the code base and that kind of the back end infrastructure. We’re seeing that is not occurring with these large agencies. I’ve heard a couple cases where some agencies, especially some of the local VA’s are actually still working on technology from the ’60s in the ’70s. So this is a pretty common problem within all government. But it doesn’t just apply to government agencies, we’re also seeing legacy and older companies, old mining companies and even Colonial Pipeline recently has similar sorts of problems where they constantly needing to upgrade and update their back end code. And this is just the constant problem that everyone’s having to chase, because keeping and securing this information is key but it’s also an important part of getting and maintaining a digital online lifestyle.

Tom Temin: We’re speaking with Will Rinehart, senior fellow with the Center for Growth and Opportunity at Utah State University. And of course, the Senate report is kind of a meta report. That is to say it is a gathering of all the inspector general reports of those seven departments. It looks from their survey of the IG reports that there’s failure to communicate. The IG keeps finding these things and the problems keep continuing. Would you say this is a problem of skill, a problem of resources or a problem of just simply making the right effort with the resources they do have?

Will Rinehart: I think it’s a little bit of everything. You don’t want to say just in all-of-the-above answer, but it really is an all-of-the-above answer. There is an issue when it comes to talent, talent especially if government is hugely needed. There’s a lot of openings still for cybersecurity, and IT infrastructure at really all levels of government. There is oftentimes the problem of scope. The leaders who are at the tops of these agencies have a lot that is going on. And it’s huge and important that you have somebody who is driving IT at that level of the agency at the C suite level of an agency and kind of the department level or director level. So that matters as well. So yes, there is this issue of bringing it to the forefront and making sure that it is a part of the agenda. But fundamentally, these things constantly occur. Because it’s really hard to switch over and use new technology, it’s really hard to update stuff. And it really is just you’re trying to change a boat that’s already in the water. And it’s moving really, really quickly. And you’re trying to change it, you know, as you’re actually sailing. So it’s really not an easy thing to do, despite all the IG reports that show that yes, the agencies need to do better.

Tom Temin: Now the six recommendations that the Senate committee made – and we should point out, this is a bipartisan report, both the chairman and the ranking member Sens. Peters and Portman are both behind this report – they’re not really prescriptive in terms of what you should do with cybersecurity. They’re more management recommendations. OMB should develop and require agencies to adopt a risk-based budgeting model, there should be a centrally coordinated approach to governmentwide cybersecurity to ensure accountability. That’s the general tone of these recommendations. That’s all well and good, but that doesn’t get the patches in. So it seems like the agencies really have to do some work at the ground level, even as some sort of a new superstructure for oversight gets established.

Will Rinehart: Yes, those two things I think need to happen at the same time, or at least in parallel that you need to have these upgrades that occur to the agencies. But you also do need better oversight, you need a better way of managing risk, you need a better way of implementing these various standards, the FISMA standards, they need to be compliant with some of the new standards that have been created also by NIST. So all those things are obviously important that the agencies do, but I think that there is at least a sense that they need to accomplish them, however long it may take, and part of what needs to change in order to accomplish all those things. And obviously, there’s a lot of money that was given in the CARES package, there was a lot of money that was given in the last year or so through various agencies to upgrade these systems. But despite all of those things that are occurring, you really still do need a change in the way that leadership approaches these problems. And, part of it is a generational issue, you have some people who have traditionally been at the agencies now for decades, and a lot of them have done very, very, very good work. But this is not the first thing that’s on their mind – security and cybersecurity and privacy of data is not really the first and most important thing on their mind. And as we see this kind of generational transition, I think you’re also going to see very much that occur as well that there’ll be more emphasis placed on security and privacy and data issues, which for better or worse have not well, much for worse, they have not been a central component of agendas, at least in the last decade or so.

Tom Temin: And of course, the report doesn’t talk about the Defense Department. But what’s your sense of how they’re doing because, again, the Defense Department is really all the components and each one is different. And each one for the most part is not accountable to the others – but at some level to the secretary of Defense.

Will Rinehart: For my understanding, the Defense Department has some of the similar issues that we’re seeing with these other agencies. They are obviously doing much better than Social Security Administration and for my understanding, also the VA and pretty much in the same places, obviously, is DHS. But this is a big issue that they’re facing. And the other thing I think is interesting in all of this, and it’s not just, obviously the Defense Department does and engages in certain kinds of technologies that allow them to, as they say, “air gap.” So there’s certain kinds of technologies that they’ve never just going to allow on the internet and allowed to be connected to computer services. Now, that I think is a very separate sort of issue than what we see in fundamentally what’s going on in agencies that are connected to them as well. So as much as the Department of Defense obviously is huge and important, in defense you also see the Justice Department is important because it oftentimes will be a connection between agencies. You’ll see this obviously with the Treasury as well, the Treasury does a lot of filing of paperwork and that sort of thing is also I think, really important as well, that as much as we think that these agencies are siloed and there’s only one thing that’s going on saying the Department of Defense, they’re oftentimes outsourcing services to other agencies like Treasury or any number of other agencies to actually file paperwork. And that is part of this overall conversation, which, until you get really into the nitty gritty details of a singular issue, you don’t really start noticing it. That to me, I think is a really big component as well, that there’s actually a lot more integration between these agencies, than people will appreciate.

Tom Temin: And meantime, we have the Biden administration’s executive order on cybersecurity, which landed with quite a thud heard throughout the bureaucracy. Do you think that will enable more of these controls to get in place, and maybe agencies will start toeing the line with respect to FISMA and getting their patches and all of the basics in line?

Will Rinehart: I think that that will be an important part of all of this. The Biden administration has made cybersecurity a big important part of their agenda. They obviously came out pretty quickly with this cybersecurity executive order. There’s been a lot of interest at the highest levels of the government, at least the highest levels of this administration to push forward and to get more security. Obviously, there was something very similar with the Trump administration, but you don’t see the kind of drumbeat that is occurring currently with the Biden administration that happened with the Trump administration. This is a constant problem, though. And I don’t know that we’re going to see this solved as much as we’re going to see just more interest and probably more money being put into these services. The big question is how do you get benefit out of all that money and that, to me is also a constant problem that we have to attend to, which is how do we get the best bang out of our buck?

Related Stories