FDA approved? Misconfigured networks were connected to the public internet
The Food and Drug Administration failed to implement agencywide cybersecurity programs, which allowed insufficient defenses to exist on databases, including inadequate encryption on some files, login authentication processes and network boundary security, according to a Government Accountability Office report made public on Thursday.
The independent congressional watchdog focused its investigation on a critical aspect of the FDA’s operations, which includes overseeing the access, storage and security of databases that hold files laden with intellectual property submitted by medical and pharmaceutical companies needing agency approval.
The rise of advanced persistent threats, or APTs — a term now synonymous with nation-state sponsored hackers — is among a laundry list of threats faced by the FDA, GAO believes.
GAO Chief Technologist Nabajyoti Barkakati told FedScoop that he would rank the FDA’s current digital security at “roughly a six or seven” on a scale of one to 10, putting it on par with most other federal agencies.
The watchdog group found instances in which the FDA’s sensitive networks were connected to the public internet, Barkakati told FedScoop. In such cases, the issue typically came due to either misconfigured settings or improperly patched software.
“Significant harm to FDA’s reputation and economic damage to regulated industries could result if this information is not adequately protected against cyber threats,” the report notes.
GAO’s 15-person information technology team did not conduct a compromise assessment on the FDA’s IT systems during the course of its most recent review, Barkakati said. As a result, it remains unclear whether the FDA’s systems had been breached in the past.
“If you’re a federal agency then it is just a matter of luck that you haven’t been mentioned in the headlines for a breach,” Barkakati said during a phone interview.
The official GAO report specifically notes that the FDA did not always “adequately protect the boundaries of its network, consistently identify and authenticate system users, limit users’ access to only what was required to perform their duties, encrypt sensitive data, consistently audit and monitor system activity, and conduct physical security reviews of its facilities.”
The aforementioned lack of encryption at the FDA, identified in the public GAO report, relates only to data in transit rather than stored data, said Barkakati.
“Effective information security controls are essential to ensure that the agency’s systems and information are adequately protected from inadvertent or deliberate misuse, improper modification, unauthorized disclosure, or destruction,” a summary for the report describes.
Since the GAO began investigating the FDA’s network security, the agency has taken decisive steps to improve and fix past missteps based upon a series of internal recommendations.
Notably, the FDA’s expedited response has subsequently attracted praise from lawmakers on the House Energy and Commerce Committee, who suggested that other audit processes would benefit from similarly avoiding “standard congressional practices of public letters and hearings calling security officials to account.”
Though a public GAO report became available on Thursday, some vulnerability findings were first shared with the FDA in January. As a result, the agency was afforded a window of time to address concerns without a “congressional hammer” looming in the background, according to the Energy and Commerce Committee.
A total of 87 vulnerabilities were found evident across four FDA “control areas,” including access controls, configuration management, contingency planning and media protection.
GAO has recommended that the FDA take 166 specific actions to resolve weaknesses in the agency’s systems.
A significant portion of those 166 actions would be characterized as “important,” Barkakati said, while it’s also likely a number of them have already been dealt with by the FDA.
In the future, the watchdog group would also like to see the sitting FDA commissioner conduct a series of additional risk assessment tests to quantify the audits’ benefits.