Federal government’s computer systems are out of date and waiting to be breached

Federal government's computer systems are out of date and waiting to be breached

Talk about mind-boggling. This week the United States launched a cyberattack on Iran. Now there’s a report that the computer systems used at the Department of Homeland Security and other federal agencies are frighteningly out of date and open to data breaches.

The information comes from a report released this week by the Permanent Subcommittee on Investigations of the Senate Homeland Security Committee. The report reviewed 10 years of inspector general reports.

So, no matter how well you protect your personal information, the report found that several government agencies responsible for shielding millions of Americans personal data don’t even have the basic tools to defend their computer systems from a cyber attack. Even more worrisome, the department tasked with our nation’s security is in the same boat.

Windows XP and security patches

The report accuses eight agencies, including the Department of Homeland Security, the State Department, the Social Security Administration and the Department of Education, of failing to take even the most rudimentary steps to protect themselves from a malicious hacker attack.

The report found that the agencies were using outdated systems, including one that was almost 50 years old, failing to apply mandatory security patches and neglecting to keep track of hardware and software. For example, Homeland Security still uses Windows XP and Windows Server 2003 on many of its systems. Four years ago, Komando.com was sounding the alarm about the federal government’s continued use of Windows XP.

Microsoft hasn’t provided support for XP since 2014 and Server 2003 since 2015.

The Department of Education hasn’t been able to stop unauthorized devices from connecting to its network since 2011. According to the report, the department announced last year that it had managed to limit this unauthorized access to 90 seconds.

For hackers, however, 90 seconds is more than enough time to, as the report states, “launch an attack or gain intermittent access to internal network resources,” which include the personal data of millions of Americans. Don’t forget that the agency stores sensitive financial data from students and their parents applying for college loans.

Related: Microsoft releases Windows emergency security patch to combat fast-spreading malware

Eisenhower-era programming

Perhaps the most head-spinning information found in the report comes from the Social Security Administration. The agency that stores retirement and disability information on tens of millions of Americans uses a system that relies on a programming language developed in the 1950s.

The number of people at the agency who know the language is dwindling rapidly.

At the Transportation Department, the report found that a system tasked with cataloging hazardous material data had, until last month, been in use for 48 years. It was replaced because almost no one knew how to operate it.

Cyber attacks and changes

According to the report, the number of cyber incidents reported by federal agencies went from 5,500 in 2006 to an astounding 77,000 in 2015. Reported incidents dropped by 56% in 2017. But the Senate report states that the drop is due to rule changes allowing agencies to report fewer kinds of attacks, including hostile network scans.

The federal government remains unprepared to confront the dynamic cyber threats of today,” the report stated. Solving the problem will take making sweeping changes to the government’s cybersecurity infrastructure. The report recommends new budgeting procedures that address the most critical threats and making cybersecurity expertise a priority in hiring.

Although the federal government doesn’t seem to have a handle on its own cybersecurity, that doesn’t mean you can’t defend your private information from ransomware attacks, viruses and data breaches.

Here are some ways to stay protected:

  • Do not follow web links in unsolicited email messages because it could be a phishing attack. If you need to contact a business or website, make sure to type the web address directly into your browser to avoid a spoofed website.
  • Set up two-factor authentication when available. That means in order to log in to your account, you need two ways to prove you are who you say you are.
  • Use unique passwords instead of the same one over multiple websites. If your credentials are stolen from one site, it’s easy for the cybercriminal to get into other accounts.
  • Back up your critical files and store them offline so ransomware and other viruses won’t capture those files as well.

Tags: cybersecurity, malware, security