The Interior Department took a beating at a House hearing on June 7 delving into the agency’s ineffective password protections revealed earlier this year, while a Government Accountability Office (GAO) official called on President Biden to solidify Federal agency cybersecurity leadership by appointing a permanent National Cyber Director.
On the leadership front, GAO’s Director of IT and Cybersecurity Marisol Cruz Cain urged the appointment of a permanent NCD as soon as possible. That position became vacant when NCD Chris Inglis resigned earlier this year, and has been filled on an acting basis since then by Kemba Walden.
“The coordination amongst all agencies can really benefit from getting a permanent cyber director and being able to have the leadership from that office be how each Federal agency approaches their cybersecurity posture,” GAO’s Cruz Cain said during a House Natural Resources Oversight and Investigations Subcommittee hearing on June 7.
The subcommittee met to examine ongoing cyber threats within the Interior Department after a scathing report earlier this year from the Interior Department’s Office of the Inspector General (OIG) detailing the use of ineffective password protection strategies at the agency.
The January 3 report found that the OIG was able to crack 16 percent of the passwords it examined after just 90 minutes of trying.
“We found that the Department’s management practices and password complexity requirements were not sufficient to prevent potential unauthorized access to its systems and data,” Interior Department Inspector General Mark Greenblatt said during his testimony at the hearing. “Over the course of our inspection, we cracked 18,174 of 85,944 – or 21 percent of active user passwords, including 288 accounts with elevated privileges and 362 accounts of senior U.S. government employees.”
Brian Cavanaugh, a fellow for cybersecurity, intelligence, and homeland security at the Heritage Foundation, noted during the hearing that these findings were especially impactful because the Interior Department houses enormous amounts of data on its digital infrastructure.
“Whether it relates to sustaining the health and productivity of public lands, the development of U.S. Outer Continental Shelf energy and mineral resources, or enhancing the quality of life of American Indians, Indian tribes, and Alaska Natives, the DOI must safeguard the data, resources, and infrastructure it utilizes to deliver its mission,” he said.
“The OIG was able to demonstrate that the front door to the DOI has been left unlocked by its employees,” Cavanaugh added.
Charles Clancy, senior vice president at MITRE Corp., recommended during the hearing that the Interior Department develop a cybersecurity strategy for its enterprise network infrastructure as well as partner with other Federal agencies to protect the countries critical infrastructure against adversary attacks.
“DoI is not alone. It can leverage deep expertise across the interagency to improve its own enterprise cybersecurity, and work with key partners across DHS [Department of Homeland Security] and DoD [Department of Defense] to help secure infrastructure over which it has some oversight,” Clancy said. “With a proactive cybersecurity strategy, it can build momentum by adopting best practices and forging interagency relationships.”
The OIG made eight recommendations to the department in early January to help address the lack of complex passwords that fail to keep the agency’s information safe.
Greenblatt said that he believes the agency has thus far done a decent job at complying with the recommendations, but that some – like implementing multi-factor authentication (MFA) – cannot be completed because the Interior’s systems are so old.
“There are some systems that are so old that they can’t handle MFA,” Greenblatt explained. “They’re technologically having difficulty actually handling it on the infrastructure that they have right now.”
GAO’s Cruz Cain detailed that the Interior Department is challenged by the scope and size of its IT budget.
“Most of their IT budget – about 83 percent of it – goes towards just operating and maintaining their IT systems. And that includes a lot of the aging and legacy technologies that we’ve been mentioning, which do not allow newer technologies to be used – such as multi-factor authentication,” Cruz Cain said. “And it really hinders their ability to deal with new cyber risks.”
She continued, adding, “We really are asking them to shift their focus of their budget to development, modernization of those legacy systems, and making enhancements that would better position Interior to modernize those legacy systems and then address the associated vulnerabilities with those systems and be able to engage with the new cybersecurity technologies.”