About 3,000 critical and high-risk vulnerabilities were found in several of the Department of the Interior’s bureaus, according to a yet-unreleased draft inspector general report discussed Wednesday at a House oversight panel hearing.
The vulnerabilities, found through penetration tests, were on hundreds of publicly accessible computers operated by the three bureaus, according to a summary of the report obtained by FedScoop.
“If exploited, these vulnerabilities would allow a remote attacker to take control of publicly accessible computers or render them unavailable,” Mary Kendall, deputy inspector general at Interior, told lawmakers. “In addition, we found that a remote attacker could then use a compromised computer to attack the department’s internal networks that host computer systems supporting mission-critical operations and containing highly sensitive data.”
Held by the House Oversight and Government Reform’s Interior and Information Technology subcommittees, the hearing aimed to explore Interior’s role in one of two recent, high-profile data breaches involving the Office of Personnel Management. Interior housed an OPM personnel file database that held personal information of 4.2 million current and former federal workers. Officials have said the breach came from compromised OPM-side credentials.
During the hearing, Interior Chief Information Officer Sylvia Burns said her department thwarts as many as 6 million malicious connection attempts each week. But since the OPM attack, her office has stepped up its focus on cybersecurity, creating a cybersecurity advisory group to help develop a strategy to better protect the agency.
Burns also said the department rolled out a program for two-factor authentication, which requires network users to enter a username and password as well as another identifier — like a personal identity verification, or PIV, card. FedScoop reported in March that Interior’s two-factor authentication program would launch within the year, and Burns said her office ramped up plans since the attack.
She noted the department had a decentralized IT management and operation system. Of the $1 billion total IT budget for the department, Burns said she directly manages less than $200 million. However, Burns said, the agency is trying to become more centralized, a task that the new Federal Information Technology Acquisition Reform Act will help address once it is enacted.
According to the IG draft report summary, investigators also found 668 critical confirmed vulnerabilities in various bureaus’ publicly accessible systems. The IG based those determinations on the Department of Homeland Security’s definition of critical vulnerability.
Several cybersecurity experts expressed concerns about the numbers reported in the analysis.
“There is no circumstance under which it is less than negligent to allow hundreds of public facing computers to have over 668 public facing critical vulnerabilities,” said JJ Thompson, CEO of Indianapolis-based security consulting and managed security services firm Rook Security, in an email. Thompson was not a witness at the hearing.
Burns said the 3,000 critical and high-risk vulnerabilities have been remediated.
“I talked with the bureaus in question about them,” she said. She added, “… The bureaus in question have corrected the vulnerabilities that were identified in that report.”
In her written testimony, Kendall said the IG’s office briefed congressional staff on the report and provided a draft version to key members of Congress. She said there would be a follow-up audit to see whether Interior’s actions were effective at addressing vulnerabilities identified, but she said said the department has agreed with her recommendations and has begun to work on them.
During the hearing, Burns offered two pieces of advice to other federal CIOs:
1. Cybersecurity is a problem that must be addressed by both IT and non-IT staff. “I think to get this problem fixed that we have in the whole federal government, it takes strong leadership and drive. But it takes everybody to help with this. Cybersecurity isn’t isolated to IT.”
2. Agencies need to do more than calculate FISMA metrics. “They’re one lens of what we need to be doing, but there’s much more … It can’t be this paper-based exercise that we go through in checking boxes.”