Federal agencies responsible for safeguarding millions of Americans' security, public safety and personal data have failed to apply even basic defenses to cyberattacks, Senate investigators said Tuesday.

The alarming warning comes after a 10-month review of 10 years of inspector general's reports by the Permanent Subcommittee on Investigations of the Senate Homeland Security Committee.

The 99-page report accuses eight critical agencies, including the Department of Homeland Security, the State Department and the Social Security Administration, of:

  • Having relied on outdated systems — at least one of them almost 50 years old
  • Having neglected to keep track of hardware and software
  • Having failed to apply mandatory security patches
  • Having ignored well-known threats and weaknesses, in some cases for more than a decade

The failures worsened even as the number of cyberincidents reported by federal agencies exploded from about 5,500 in 2006 to more than 77,000 in 2015, a 13-fold increase, investigators said. Reported incidents dropped by 56 percent in 2017, they said, but only because the rules changed to allow agencies to report fewer kinds of attacks, including hostile network scans and probes.

Despite numerous publicly reported major breaches, "the federal government remains unprepared to confront the dynamic cyber threats of today," according to the report.

Among the sensitive information that has been at risk for years are financial data for students and parents applying for college loans on file with the Education Department; payroll and banking information for would-be buyers seeking to qualify for home loans, at the Department of Housing and Urban Development; and U.S. citizens' travel records, at Homeland Security, the report said.

All eight of the agencies are using woefully outdated systems, the report found. Homeland Security — the agency most responsible for protecting Americans' physical safety — still uses Windows XP and Windows Server 2003 on many of its systems, it said.

Microsoft Corp. ended support for XP in 2014 and for Server 2003 in 2015.

The report found one system — cataloging hazardous materials data at the Transportation Department — that was still in use after for 48 years until just last month. One of that system's biggest obstacles, it said, was that there was virtually nobody left who knew how to operate it.

Social Security has a similar problem, according to the report: Its system to store retirement and disability information for millions of Americans uses a programming language that was first developed in the 1950s, and most of the people who know how to use it have either retired or are about to.

At the Education Department, meanwhile, systems have been unable to prevent unauthorized outside devices from easily connecting to the department's network going back as far as 2011, it said.

The Education Department did report last year that it had managed to work out how to limit unauthorized access to about 90 seconds. But the report said that's more than enough time for a malicious actor to "launch an attack or gain intermittent access to internal network resources" — including millions of Americans' personally identifying data.
The report found that agency inspectors general "have cited many of these same vulnerabilities for the past decade."

Sen. Rob Portman, R-Ohio, chairman of the investigations subcommittee, accused the government of having "failed at implementing basic cybersecurity practices, leaving classified, personal and sensitive information unsafe and vulnerable to theft."

The report recommended sweeping changes across the government's cybersecurity programs, including instituting new budgeting procedures to make sure the most critical threats are addressed, consolidating security processes to speed reaction time and prioritizing cybersecurity expertise in hiring.

"Hackers with malicious intent can and do attack federal government cyber infrastructure consistently," Portman said in a statement accompanying the report.

"In 2017 alone, federal agencies reported 35,277 cyberincidents," he said. "Yet our federal agencies have failed at implementing basic cybersecurity practices, leaving classified, personal and sensitive information unsafe and vulnerable to theft."