The investigation found sweeping failures in cybersecurity, including systems that still run on Windows XP and one safety system that’s 48 years old.
Among the sensitive information that has been at risk for years are financial data for students and parents applying for college loans on file with the Education Department; payroll and banking information for would-be buyers seeking to qualify for home loans, at the Department of Housing and Urban Development; and U.S. citizens’ travel records, at Homeland Security, the report said.
All eight of the agencies are using woefully outdated systems, the report found. Homeland Security — the agency most responsible for protecting Americans’ physical safety — still uses Windows XP and Windows Server 2003 on many of its systems, it said.
Microsoft Corp. ended support for XP in 2014 and for Server 2003 in 2015.
The report found one system — cataloging hazardous materials data at the Transportation Department — that was still in use after for 48 years until just last month. One of that system’s biggest obstacles, it said, was that there was virtually nobody left who knew how to operate it.
Social Security has a similar problem, according to the report: Its system to store retirement and disability information for millions of Americans uses a programming language that was first developed in the 1950s, and most of the people who know how to use it have either retired or are about to.
At the Education Department, meanwhile, systems have been unable to prevent unauthorized outside devices from easily connecting to the department’s network going back as far as 2011, it said.
The Education Department did report last year that it had managed to work out how to limit unauthorized access to about 90 seconds. But the report said that’s more than enough time for a malicious actor to “launch an attack or gain intermittent access to internal network resources” — including millions of Americans’ personally identifying data.
The report found that agency inspectors general “have cited many of these same vulnerabilities for the past decade.”
Sen. Rob Portman, R-Ohio, chairman of the investigations subcommittee, accused the government of having “failed at implementing basic cybersecurity practices, leaving classified, personal and sensitive information unsafe and vulnerable to theft.”
The report recommended sweeping changes across the government’s cybersecurity programs, including instituting new budgeting procedures to make sure the most critical threats are addressed, consolidating security processes to speed reaction time and prioritizing cybersecurity expertise in hiring.
“Hackers with malicious intent can and do attack federal government cyber infrastructure consistently,” Portman said in a statement accompanying the report.
“In 2017 alone, federal agencies reported 35,277 cyberincidents,” he said. “Yet our federal agencies have failed at implementing basic cybersecurity practices, leaving classified, personal and sensitive information unsafe and vulnerable to theft.”