While the recent hack of FDA databases raised plenty of questions about its cybersecurity policies, the agency offered few answers. If a damning new report into government-wide practices is in any way representative of the FDA though, the agency will need to tighten up.
The President's Council of Advisors on Science and Technology (PCAST) report lambasts federal agencies for failing to follow best practices. Weaknesses identified by PCAST include continued widespread use of outdated operating systems such as Windows XP. Microsoft ($MSFT) introduced Windows XP in 2001 and replaced it in 2007 with the little-loved Vista. PCAST reports XP is vastly less secure than more modern operating systems, such as Windows 7 and 8, and is less likely to be fully patched to handle new threats.
"There is simply no excuse for the Federal Government to be such a poor leader by example," PCAST wrote in its report to President Barack Obama. PCAST calls for the government to make a firm commitment to phase out old operating systems within two years. By then, Windows XP will be 14 years old. The Internet Security and Privacy Advisory Board made a very similar recommendation 20 months ago. PCAST also noted a failure to use the latest versions of web browsers and a general tardiness in updating software.
While working to overcome these failings, regulatory agencies should also be changing how they monitor cybersecurity in the private sector. PCAST calls for the Securities and Exchange Commission (SEC) to make public companies disclose cybersecurity risk factors in their filings. The proposal goes beyond current materiality tests. Other recommendations include the use of an auditable process to encourage companies to adopt best practices. PCAST thinks this approach is preferable to a mandatory list of cybersecurity requirements.