America’s Data ‘Still at Risk’ From Cyber Saboteurs: Senate
A Senate report Tuesday lambasting the continued “failure” to shore up U.S. vulnerabilities to cyberattacks lends added weight to President Joe Biden’s recent warning that the shadow conflict in cyberspace could morph into a shooting war.
Escalating cyber attacks and the failure to protect key U.S. infrastructure against them continue to place America “at risk,” according to a Senate report released Tuesday.
In what it described as a “stark” finding, the report said seven of eight federal agencies identified in 2019 as vulnerable to cybersabotage “still have not met the basic cybersecurity standards necessary to protect America’s sensitive data.”
“Unpatched critical vulnerabilities and shadow IT make breaching agencies’ networks and stealing sensitive data easier and cheaper, at a time when the Federal Government should be making it harder and more expensive,” the report continued.
Commenting on the report, Senator Rob Portman (R-OH), said the report “shows a sustained failure” to address the nation’s cybersecurity vulnerabilities.
“(It’s) a failure that leaves national security and sensitive personal information open to theft and damage by increasingly sophisticated hackers.”
The Senate report follows on the heels of a warning from President Joe Biden that the growing shadow conflict in global cyberspace could result in a “real shooting war.”
“If we end up in a war, a real shooting war with a major power, it’s going to be as a consequence of a cyber breach of great consequence,” said the president in a July 27 speech at the office of the Director of National Intelligence.
The Senate report, bearing the title “America’s data still at risk,” said large-scale cyber incidents like SolarWinds and Microsoft Exchange “illustrate the considerable threats facing federal agencies.”
“These attacks also make the longstanding vulnerabilities repeatedly documented by Inspector Generals all the more concerning.”
The latest Senate report assigned grades to federal agencies based on a “report card” system; many earning a C or D grade based on their cybersecurity measures.
“As hackers, both state-sponsored and otherwise, become increasingly sophisticated and persistent, Congress and the executive branch cannot continue to allow [personally identifiable information] and national security secrets to remain vulnerable,” said the report.
In addition to top-secret government information or technology that remains vulnerable to hacking, personal and financial information of American citizens kept by the Social Security Administration, Department of Education and Transportation departments were also at risk.
The report found that such committees left data in unmonitored accounts, leaving information vulnerable to hackers, indicating a “decades-long” problem for the federal government, said the opinion piece.
The report paints “a picture of a government that, despite years of warning shots, is ill-prepared to withstand hacks from Russia, China and elsewhere,” said cybersecurity expert Joseph Marks in an opinion piece for the Washington Post.
Vulnerability for private companies also remains a risk, and requires more thorough laws that standardize cyber security and protection.
A recent news release from a California-based company called RiskIQ identified that a Russian “advanced persistent threat” or ATP29, was responsible for stolen data and compromised networks in “more than 30 command and control servers.”
According to an article by Bloomberg, ATP29 is also highly suspected to have some responsibility in hacking data regarding the development of the COVID-19 vaccine in America, as well as having involvement in the DNC hack of 2016.
Even though the same group sent attacks to United States cybersecurity during the 2016 election, American companies continue to suffer attacks from them.
“APT29 is using the same malware they used to steal Covid-19 research a year ago, despite the fact that the U.S., U.K., and Canadian governments called them out on it,” said the Director of Threat Intelligence at RiskIQ in the Bloomberg article. “They haven’t missed a beat.”
Just last December nearly 30 U.S. Attorneys offices suffered Microsoft email account hacks as a part of the SolarWinds hack. The hack affected offices in Washington D.C., New York and California, all of which contain confidential information.
Although the Biden administration has imposed sanctions as well as made multiple warnings against cybersecurity hacks, specifically by Russia and China, little has been done to better protect American data.
Read more: Senators Introduce Legislation Requiring Reports of Cybersecurity Threats
Emily Riley is a TCR contributing writer.