After Damning Findings on FMCSA, USDOT Watchdog Sounds Alarm on Cybersecurity Risks
Washington D.C. — This week, an auditor with the U.S. Department of Transportation’s (USDOT) Office of Inspector General (OIG) painted an alarming picture of the Department’s defenses against cyber attacks.
In testimony before the U.S. House Transportation and Infrastructure (T&I) Committee, Kevin Dorsey, OIG assistant inspector general for information technology audits, told lawmakers the USDOT’s information technology (IT) systems continue to be “at risk” by “persistent weaknesses in basic things such as a lack of strong passwords, software that is not updated in various operating systems, and a lack of encryption in data.”
Dorsey said the OIG has made many recommendations for steps the USDOT must take to secure its IT systems, but informed lawmakers the Department “has yet to close 10,663 vulnerabilities associated with its information systems.”
Further, he implied a failure of leadership has led to such measures being left unaccomplished.
[US]DOT has not had a permanent Chief Information Security Officer with the leadership authority to perform effective oversight and ensure accountability for departmental information security improvements for close to a year,” he said in written testimony. “Thus, it is challenging for [US]DOT to move forward with a continuity of strategy that can affect long-term changes.”
Dorsey’s troubling appearance before Congress comes after a highly-damning OIG report recently revealed egregious failures at the Federal Motor Carrier Safety Administration (FMCSA).
As part of an investigation into the FMCSA’s IT infrastructure — conducted between October 2020 and August 2021 — OIG investigators were successfully able to place malware on the FMCSA’s IT network without Agency officials detecting the threat for a month.
As a result, OIG hackers easily gained “unauthorized access” to 13.6 million unencrypted personally identifiable information (PII) records of commercial drivers license (CDL) holders.
PII records left exposed during the assessment included commercial drivers’ contact and medical examination information as well as license and contact data for certified medical examiners.
Click HERE to read Transportation Nation Network’s full report on the OIG’s investigation.
When questioned by T&I Committee members about the disturbing findings, Cordell Schachter, USDOT chief information officer, said “improving cybersecurity is our number one priority.”
WATCH the full hearing below.