An annual audit done by the Office of Inspector General (OIG) to the U.S. Treasury, as mandated by the Federal Information Security Management Act (FISMA), found that the Treasury Foreign Intelligence Network (TFIN) was vulnerable to hacking by malicious actors.
The official reason for the TFIN's existence is for the Treasury and U.S. spy agencies to track payments to terrorists and to keep tabs on financial sanctions to various countries such as Russia and Iran.
The audit done by the OIG and submitted in September 2014 found no evidence of intrusion, but it discovered that 29 percent of the devices connected to the TFIN did not meet the proper security standards.
"As a result...devices may not be protected with the most secure recommended configurations, increasing the risk of being compromised," the Treasury's Office of Inspector General said.
A Treasury official said that the problem has been fixed since the release of the audit.
After the Office of Personnel Management (OPM) hack, which has been described as the largest data breach in the U.S. government's history, U.S. agencies need to respond more swiftly to security recommendations from such audits and adopt stronger security models that protect data even after a hack (against which the U.S. government may never become fully immune).
The OPM for instance, didn't encrypt social security numbers, fingerprints and other sensitive information about its employees, so when the hackers penetrated the network, they could access everything.
Google and other companies have started to move away from the "network defense" model, which doesn't seem to be as effective as it may have once been, and instead adopted a "zero trust network" model, where each computer is protected from the internal network as well as from the Internet.
Employees would also get only strictly necessary access to confidential information and would use two-factor authentication, which was suggested to the OPM years ago by the OIG and other security companies.
Such an overhaul of the government's systems could take many years and many billions of dollars, so even if the government decides to drastically strengthen the security of its computer systems, it may not actually get all the funding to do that. However, it could at least prioritize the more important infrastructure such as financial, healthcare and military institutions.
The government could also start living by a "least stored data" principle, where it only stores strictly necessary data for its purposes, but not more than that.
However, the U.S. government seems to have been going in the opposite direction lately with a "collect it all" principle of gathering all available data about everyone. This only ends up making U.S. data centers a more appealing target, either to other rival governments or criminal organizations, which could use the stored information to hack into other government systems or blackmail people.
Storing as little data about its citizens as possible combined with an "encrypt everything" attitude could at least drastically decrease the damage from such data breaches.