I missed this when it was first issued two weeks ago but it’s of sufficient importance that I think it bears highlighting. A technology audit by the Office of the Inspector General of the computer and software systems operated by the Department of Homeland Security found them woefully inadequate. From the report:
Specifically, since the Department’s inception in 2003, components have not effectively managed and secured their information systems. Components have continued to operate systems without ATOs [ed. Authority to Operate], used unsupported operating systems that expose DHS data to unnecessary risks, ineffectively managed the POA&M [ed. plan of action and milestones] to mitigate identified security weaknesses, and failed to apply security patches timely. Such repeated deficiencies are contrary to the President’s Cybersecurity Executive Order and clear indicators that departmental oversight of the enterprise-wide information security program needs to be strengthened. Until DHS overcomes challenges to addressing its systemic information security weaknesses, it will remain unable to ensure that its information systems adequately protect the sensitive data they store and process.
Translation: the department responsible for the country’s security is unwilling or unable to look after its own. This is not insignificant and IMO the federal government is incapable as structured to maintain adequate levels of cybersecurity. Funding mechanisms and levels are inadequate to enable departments to upgrade their systems on a timely basis or maintain them to bring them up to an adequate level of security. There are far too many homegrown experts and when outside resources are used there is insufficient ability or willingness to give them sufficient oversight.
The IG made five recommendations:
Recommendation #1: Pursue with the Under Secretary for Management alternate strategies for ensuring that components accomplish planned actions to address deficiencies in areas such as security authorization, weakness remediation, and continuous monitoring that have consistently lagged behind in key performance metrics on the monthly information
Recommendation #2: Enforce the requirements for components to obtain authority to operate, test contingency plans, and apply sufficient resources to mitigate security weakness for national security systems according to applicable policies.
Recommendation #3: Revise the information systems continuous monitoring strategy to include an up-to-date inventory of software assets and licenses used within the Department.
Recommendation #4: Implement controls and perform quality reviews to validate that information security data input to DHS’ enterprise management systems is complete and accurate.
Recommendation #5: Expedite the process for discontinuing the use of unsupported operating systems within the Department.
These are incredibly basic. Taken severally or corporately they do not constitute a plan for securing DHS. They’re recommendations that DHS formulate a plan. A decade from now some future IG audit will find the same deficiencies in the systems that replace the systems presently in use.
IMO there are only two courses of action that would render DHS secure. They could decomputerize; the present DHS is incapable of maintaining the pace and accountability required to maintain a proper level of security. That would be met with enormous resistance, not just from the DHS itself but from Congress and the electorate.
Alternatively, they could decentralize, increasing the number of targets while decreasing the target size, and diversify their information technology ecosystem. That would meet an even greater level of resistance and would be very expensive in dollars, time, and management attention.
What will actually happen is that very little will change and DHS will remain insecure. Make your plans accordingly.
Keep in mind that the Pentagon can’t keep itself secure and the military has the ability to order its personnel to do things and throw them in jail if they don’t comply, an alternative not available to the civilian branches.