NASA and the U.S. Department of State were among the federal agencies that received low marks on IT security, according to a recent report card issued by the New York-based firm Security Scorecard. Also receiving low grades were the states of Connecticut, Pennsylvania and Washington.
The 2016 U.S. Government Cybersecurity Report, released earlier this month, analyzed the cybersecurity vulnerabilities of some 600 local, state and federal government agencies. It found that government organizations perform poorly in information security compared to private-sector enterprises in transportation, retail, healthcare and other industries.
Security Scorecard put a special focus on NASA, the Federal Bureau of Investigation and the Internal Revenue Service, all of which have been hit by significant data breaches this year. Across the board, government agencies struggled most with malware infections, network security and the timing of regular software patches, the report found.
‘Too Many are Exposed’
Founded in 2013, Security Scorecard was started by Aleksandr Yampolskiy and Sam Kassoumeh, both information security veterans of the Gilt Groupe members-only sale-of-the-day site. That company was acquired earlier this year for $250 million by the Hudson’s Bay Company, a Canadian retail business group.
According to Security Scorecard’s Web site, the company uses three sources of information — proprietary data, raw data feeds of publicly available open source malware intelligence and other threat intelligence data feeds — to assess security performance. It grades sites based on hacker chatter, DNS (Domain Name System) health, presence of vulnerable applications, server-side vulnerabilities, use of corporate credentials on social networks and other metrics.
A Security Scorecard spokesperson told us that the company has also built sinkhole infrastructures that reverse engineer malware and capture related data. “[Our] honeypots are intentionally insecure systems created to monitor various types of attacks. This gives [us] an outside-in perspective that non-intrusively uncovers millions of vulnerability data points across the entire Internet,” the spokesperson said.
“With serious data breaches making headlines on what seems like a weekly basis, our team felt compelled to turn a spotlight on government agencies and determine which of them are demonstrating a commitment to securing their infrastructure and which are falling short,” senior data scientist Luis Vargas said in a statement. “The data we uncovered clearly indicates that while some are improving their security postures, too many are leaving themselves dangerously exposed to risks and vulnerabilities, especially at the larger federal level.”
New Efforts in Wake of Hacks
The cybersecurity report ranked government agencies last out of 18 different sectors. Companies in the information services industry performed best in the assessment, followed by the construction industry and the food industry. Low-performing private-sector industries included pharmaceuticals (15th place), telecommunications (16th) and education (17th).
Local, state and federal government organizations have experienced 35 “major” data breaches since last April, according to Security Scorecard. In February, for example, hackers published details about FBI and Department of Homeland Security employees on Twitter. And this year, hackers with the group AnonSec released 250 GB of data extracted from NASA’s systems, while an attack on the IRS last year led to the leak of personal data associated with more than 700,000 taxpayer accounts.
Federal agencies have been working to improve performance, with the Department of Defense announcing in March that it will be launching its first bug bounty program. President Barack Obama earlier this year also called for the enactment of a Cybersecurity National Action Plan that “puts in place a long-term strategy to enhance cybersecurity awareness and protections.”
Image Credit: iStock.
