Watchdog: Agency Responsible for Guarding Government Against Hackers Is Vulnerable to Hackers
The Department of Homeland Security's inspector general is not pleased with the agency's network security.
The Department of Homeland Security is responsible for guarding the federal government’s computer networks. Turns out that it doesn’t seem capable of adequately protecting its own.
In a hard-hitting 36-page report , DHS Assistant Inspector General Sondra McCauley took an expansive look at the department’s performance as the main guardian of the government’s .gov domains, a frequent target of overseas hackers. The most recent high-profile attack was revealed in June, when U.S. officials made public that cyber thieves had broken into the networks of the Office of Personnel Management and stole the personal information of some 21.5 million current, former, and prospective federal employees. The hack, widely thought to have been carried out by China, prompted fears of that Beijing might use the information to unmask American intelligence agents, though Director of National Intelligence James Clapper said last week that so far the U.S. intelligence community has detected no evidence of the data being put that use.
The most damning section of the report details computer vulnerabilities within computers at Immigrations and Customs Enforcement and the Secret Service, two DHS components. McCauley identified a variety of security problems that, among other things, would have allowed an attacker to “mislead a legitimate user to providing sensitive information,” “conduct privileged functions,” “assist in worm propagation,” modify databases, and allow the impersonation of a legitimate user.
These vulnerabilities, the report notes, could have allowed “unauthorized individuals to gain access to sensitive data.” Put another way, the agency responsible for protecting the government against overseas hackers was itself vulnerable to overseas hackers.
The report’s conclusions weren’t all bad for DHS, which McCauley said had strengthened many of its cybersecurity capabilities. But they offered what was far from a glowing endorsement of the department’s work.
To take one example, McCauley said said cyber personnel in Immigrations and Customs Enforcement, the National Programs and Protections Directorate, and the Secret Service “do not have a clear understanding of each other’s responsibilities and operational and investigative capabilities.” As a result, incidents have been referred to the wrong component of the federal government. Such confusion, the report notes, may have “caused delays in [DHS’s] response and recovery efforts.”
The report also found that DHS lacks a way to share cyberthreat information within the department in real-time — a major shortcoming given the importance of identifying and responding to hacks as quickly as possible to limit the extent of the data breach.
In a carefully-worded response, the department said it was working to put in a “near real-time” system that it expects to be completed by Aug. 31, 2016. It made no mention about if, or when, it would develop a fully real-time system.
The report also found that components of the departments are creating their own training regiment and as a result “are incurring significant, duplicative costs.” DHS said was moving to a new, department-wide system that would be in place by March 31, 2016, but offered no details on cost.
Among the other training problems identified by Roth: Immigration and Customs Enforcement and the U.S. Secret Service “have not provided annual specialized security training required for individuals with significant security responsibilities.”
Without such training, the report argues, “components cannot ensure that their personnel with significant security responsibilities have the appropriate skills and knowledge to properly administer and secure systems against potential attacks.”
JIM WATSON/AFP/Getty Images