U.S. Government Cybersecurity Lags Behind That of a Fast Food Joint, Say Analysts

Despite their strong cybersecurity, McDonald’s Canada, Arby’s, and Wendy’s have all suffered damaging hacks within the past two years. Edgar Su/Reuters

The American federal government and countless state and local governments throughout the U.S. are more vulnerable to cyberattacks than your local McDonald's.

A new study ranking the cybersecurity of 18 industries "paints a grim picture" with the U.S. government 16th when it comes to protecting its computer systems and data from hackers.

At the top are retailers and the fast food industry.

"Meeting the information security posture of the fast food industry should not be a lofty goal when it comes to the federal government," said Alex Heid, a hacker and Chief Research Officer at cybersecurity consulting firm SecurityScorecard.

The firm conducted the U.S. State and Federal Government Cybersecurity Report released Thursday, analyzing more than 500 state, local and federal government entities.

Heid said he can see how smaller local governments and municipalities don't have the money to "allow them to get up to the security level of a Fortune 500 fast food retail chain." But that's no excuse for the federal government, he said.

The federal government is riddled by cybersecurity vulnerabilities, even in the U.S. Office of Personnel Management (OPM), which suffered the largest theft of government data in the history of the U.S. in 2015.

In early August, The Government Accountability Office (GAO) report showed that the OPM still has vulnerabilities after the massive 2015 breach saw hackers make off with the government's records of more than 21 million people who had gone through security background checks—some of whom received high-level security clearances.

The GAO report found that three years on, the OPM "did not encrypt" sensitive data on one of the systems they audited "and did not encrypt transmitted data on another."

Related: U.S. government at risk of 'terrifying' hacking attack, but Trump won't do more to fix the problem

Their oversight of their contractors' cybersecurity wasn't "comprehensively tested" either, according to the report. It did, however, point out that the office has completed nearly 19 recommendations to improve its cybersecurity after the breach, with only four "requiring further improvement." One improvement was multifactor authentication for computer logins.

In a letter to auditors, the OPM's chief information officer, David DeVries, argued that "even if a potential vulnerability existed within the OPM environment," multiple defensive measures would have to fail "before a successful attack could be established."

Still, the GAO's auditors stood by their report saying it "appropriately reflects OPM's cybersecurity posture."

Even larger weaknesses are prevalent throughout government systems, said Heid. Last year there was a 40 percent increase in government data breaches, with 72 across American government systems.

"There's still a chance for more breaches to come of classified databases of personnel, even if it doesn't come from OPM," he said. "Perhaps it comes from a partner that handles the data, or maybe from a different branch of government that processes data like that."

Other cybersecurity experts recently told Newsweek that government contractors who handle data and can access government systems are a weak link and remain vulnerable, potentially offering a pivot point for hackers to access government systems.

Heid said government staff are also using their work emails and passwords on other websites that have suffered data breaches like Yahoo's email service, Dropbox, LinkedIn, Ashley Madison, and Adult FriendFinder.

"When it comes to leaking credentials, the average internet user is still OK with using the same email and password combination across multiple sites on the internet," he said. "Until that type of behavior changes, there's going to be repeats."

In April, the U.S. Computer Emergency Readiness Team sent out a warning to the government's network administrators that hackers "appear to be leveraging stolen administrative credentials"—usernames and passwords—in a way that they could "gain full access to networks and data in a way that appears legitimate."

"Every email address and password combination going back about 10 years, on every major public website has been leaked and circulated in the last two years," said Heid. "From 2016 to 2017, there were over 3 billion leaked" emails and passwords and "the databases are now circulating" online. Other governments, like Russia and China, are using these.

The main things the U.S. government can do, he said, are to train staff and get rid of legacy systems—software and devices that are no longer supported by updates.

A series of "technology investments through the 1980s, '90s and mid-2000s full of vulnerabilities sit alongside new emerging (and often misconfigured) technology, creating a horrible hodgepodge of cybersecurity risks," according to SecurityScorecard's analysis.

The federal government, however, does have it together in a few places where it counts: The Internal Revenue Service, Secret Service, and Congressional Budget Office, which wire-transfers money to fund government projects, all have cutting-edge cybersecurity. But "they're watching that to the detriment" of other agencies and departments, Heid said.

In May, Trump issued an executive order on cybersecurity that directs his Cabinet to carry out a review of each department's cybersecurity defenses within 90 days. That report has yet to be made public.

What's needed is more money invested in updating computer systems across the government, Heid argues. America's federal government, he said, still has a "long way to go to being considered top of the pack."