Report: Serious Cybersecurity Breaches at DHS

Report: Serious Cybersecurity Breaches at DHS

The Department of Homeland Security’s Office of Inspector General released a report on Monday evaluating DHS’ Information Security Program. According to the executive summary, the report identified a number of issues that concerned Sen. Tom Coburn (R-OK), ranking member of the Senate Homeland Security and Governmental Affairs Committee. 

The breaches listed were: 

(1) systems are being operated without authority to operate; (2) plans of action and milestones are not being created for all known information security weaknesses or mitigated in a timely manner; and (3) baseline security configuration settings are not being implemented for all systems. Additional information security program areas that need improvement include incident detection and analysis, specialized training, account and identity management, and contingency planning. Finally, the Department still needs to consolidate all of its external connections, and complete the implementation of personal identity verification compliant logical access on its information systems and networks.

In a statement released by his office on Monday, Coburn criticized DHS, saying the OIG report “shows major gaps in DHS’s own cybersecurity, including some of the most basic protections that would be obvious to any 13-year-old with a laptop. DHS doesn’t use strong authentication.”

Coburn also stated that DHS relies on “antiquated software that’s full of holes. Its components don’t report security incidents when they should. They don’t keep track of weaknesses when they’re found, and they don’t fix them in time to make a difference.”

House and Senate Intelligence Committee Chairs Rep. Mike Rogers (R-MI) and Dianne Feinstein (D-CA) told CNN’s Candy Crowley on Sunday that the United States is less safe and that “terror is up worldwide.” Both agreed that “there is huge malevolence out there” against the United States.

In his statement, Coburn noted that President Obama “called on the private sector to improve its cybersecurity practices to ensure that our nation’s critical infrastructure is not vulnerable to an attack, adding that DHS and other agencies must be held to at least the same standard:

The fact is the federal government’s classified and unclassified networks are dangerously insecure, putting at risk not only U.S. national security, but the nation’s critical infrastructure and vast amounts of our citizens’ personally identifiable information.

We spend billions of taxpayer dollars on federal information technology every year. It is inexcusable to put the safety and security of our nation and its citizens at risk in this manner. 

Committee Chairman Tom Carper (D-DE), preferred to look at the silver lining of the report, saying DHS’s “considerable progress” in implementing Federal Information Security Management Act (FISMA) protections.

The OIG has recommendations for DHS to improve its information security program. These are:

Establish a process to ensure that baseline configuration settings are being implemented and maintained on all workstations and servers, including non-Windows platforms.

Ensure that all operational information systems have current authorization to operate.

Improve the Information Security Office’s Plan of Action and Milestones, review process to ensure that all of these, including “top secret” systems, are being remediated in a timely fashion and in compliance with DHS guidance.

Establish enterprise-wide security training requirements to ensure all privileged users receive necessary role-based specialized security training.

Strengthen the department’s oversight on its top secret systems by performing critical control reviews on selected systems to ensure the required controls are implemented.