As large data breaches of private sector companies like Equifax in 2017, Uber in 2016, and Anthem in 2015 made headlines, the failure of the federal government to sufficiently protect the sensitive personal information it maintains on Americans has not been getting enough attention.
In 2015, a comprehensive review of the federal government’s cybersecurity policies, procedures, and practices was conducted, resulting in OMB Memo M-16-04, the Cybersecurity Strategy and Implementation Plan (CSIP). Under CSIP, federal agencies are required to 1) prioritize identification and protection of high value information and assets (HVA); 2) timely detect and rapidly respond to cyber incidents; 3) rapidly recover from incidents when they occur and accelerate adoption of lessons learned from the assessment that formulated the CSIP recommendations; 4) recruit and retain the most highly-qualified cybersecurity workforce talent the federal government can bring to bear; and, 5) efficiently and effectively acquire and deploy existing and emerging technology.
{mosads}As demonstrated by the two 2015 Office of Personnel Management (OPM) data breaches, HVAs are the most likely targets of hackers, and require the highest level of cybersecurity protection. The federal government, especially the Internal Revenue Service (IRS), maintains exceptionally sensitive information relating to taxpayers within its data systems, such as Social Security numbers, dates of birth, annual income, property values, investments, and business operations.
On May 18, 2018, the Treasury Inspector General for Tax Administration (TIGTA) released an audit reviewing the IRS’s information technology (IT) systems and the protection of HVAs within that agency. TIGTA determined that two of the 47 systems identified as HVAs needed to be reported to the Department of Homeland Security due to the agency’s failure to fully execute the CSIP requirements. TIGTA further noted that the IRS has failed to identify and document all its current system hardware components and effectively and timely mitigate critical and high-risk vulnerabilities within one of the HVAs.
The IRS is by far not the only agency holding sensitive data on the American people. The Centers for Medicare and Medicaid Services, Census Bureau, Department of Education, Department of Housing and Urban Development, Department of Labor, Department of Veterans Affairs, and Nuclear Regulatory Commission (NRC), along with many other federal agencies, are also responsible for maintaining security over data. Unfortunately, ongoing efforts to modernize and secure their IT systems have been mostly unsuccessful.
On May 23, Government Accountability Office (GAO) Director for Information Technology Management Issues David Powner submitted testimony before the House Oversight and Government Reform Subcommittees on Government Operations and Information Technology related to information technology (IT) acquisitions, operations, and cybersecurity. In his testimony, Powner stated, “the federal government plans to invest more than $96 billion for IT in fiscal year 2018 — the largest amount ever budgeted. Despite such large IT expenditures, we have previously reported that investments in federal IT too often result in failed projects that incur cost overruns and schedule slippages, while contributing little to the desired mission-related outcomes.”
Powner further stated, “security deficiencies can threaten systems once they become operational. As we previously reported, in order to counter security threats, 23 civilian Chief Financial Officers Act agencies spent a combined total of approximately $4 billion on IT security-related activities in fiscal year 2016. Even so, our cybersecurity work at federal agencies continues to highlight information security deficiencies.” He cited in his testimony continuing privacy and security issues within the Department of Education’s Office of Federal Student Aid, the IRS, the National Aeronautics and Space Administration, the NRC, OPM, and the Department of Veterans Affairs.
The federal government must take the protection of sensitive information and data much more seriously. Federal IT systems need to be modernized with increased security to shield taxpayers from current and future cybersecurity threats.
Deborah Collier serves as the director of technology and telecommunications policy for Citizens Against Government Waste, a nonprofit group aimed at promoting limited government.