I missed this when it was first issued two weeks ago but it’s of sufficient importance that I think it bears highlighting. A technology audit by the Office of the Inspector General of the computer and software systems operated by the Department of Homeland Security found them woefully inadequate. From the report:
Specifically, since the Department’s inception in 2003, components have not effectively managed and secured their information systems. Components have continued to operate systems without ATOs [ed. Authority to Operate], used unsupported operating systems that expose DHS data to unnecessary risks, ineffectively managed the POA&M [ed. plan of action and milestones] to mitigate identified security weaknesses, and failed to apply security patches timely. Such repeated deficiencies are contrary to the President’s Cybersecurity Executive Order and clear indicators that departmental oversight of the enterprise-wide information security program needs to be strengthened. Until DHS overcomes challenges to addressing its systemic information security weaknesses, it will remain unable to ensure that its information systems adequately protect the sensitive data they store and process.
Translation: the department responsible for the country’s security is unwilling or unable to look after its own. This is not insignificant and IMO the federal government is incapable as structured to maintain adequate levels of cybersecurity. Funding mechanisms and levels are inadequate to enable departments to upgrade their systems on a timely basis or maintain them to bring them up to an adequate level of security. There are far too many homegrown experts and when outside resources are used there is insufficient ability or willingness to give them sufficient oversight.
The IG made five recommendations:
Recommendation #1: Pursue with the Under Secretary for Management alternate strategies for ensuring that components accomplish planned actions to address deficiencies in areas such as security authorization, weakness remediation, and continuous monitoring that have consistently lagged behind in key performance metrics on the monthly information
scorecard.Recommendation #2: Enforce the requirements for components to obtain authority to operate, test contingency plans, and apply sufficient resources to mitigate security weakness for national security systems according to applicable policies.
Recommendation #3: Revise the information systems continuous monitoring strategy to include an up-to-date inventory of software assets and licenses used within the Department.
Recommendation #4: Implement controls and perform quality reviews to validate that information security data input to DHS’ enterprise management systems is complete and accurate.
Recommendation #5: Expedite the process for discontinuing the use of unsupported operating systems within the Department.
These are incredibly basic. Taken severally or corporately they do not constitute a plan for securing DHS. They’re recommendations that DHS formulate a plan. A decade from now some future IG audit will find the same deficiencies in the systems that replace the systems presently in use.
IMO there are only two courses of action that would render DHS secure. They could decomputerize; the present DHS is incapable of maintaining the pace and accountability required to maintain a proper level of security. That would be met with enormous resistance, not just from the DHS itself but from Congress and the electorate.
Alternatively, they could decentralize, increasing the number of targets while decreasing the target size, and diversify their information technology ecosystem. That would meet an even greater level of resistance and would be very expensive in dollars, time, and management attention.
What will actually happen is that very little will change and DHS will remain insecure. Make your plans accordingly.
Keep in mind that the Pentagon can’t keep itself secure and the military has the ability to order its personnel to do things and throw them in jail if they don’t comply, an alternative not available to the civilian branches.
I don’t think people interested in maintaining computer security get very high up in American politics or government, I don’t think people who want to hire IT professionals or pay for maintaining computer systems often reach a level where they affect budgets, and I don’t think many 60 or 70-year old politicians and lawyers and upper level bureaucrats are going to listen to IT engineers and technicians who try to explain matters to them.
Remember Hillary Clinton on her own hook deciding that dealing with State Department computer systems was just too complicated so she would handle all her communications herself on a home PC system? And I’ll bet she patted herself on the back for that decision every day until the newspaper stories started.
I was in the computer business for about 40 years, starting in 1965. At various times I was a hardware technician, programmer, analyst, developer and sales support working for hardware and software vendors and as an independent contractor. During that time I came into contact with hundreds of different organizations. My ratings of computer competence:
1. Hardware and software vendors.
2. Aerospace and electronics.
3. Financial.
4. For profit business.
5. Professionals – Doctors, lawyers, CPAs. They’re God, you’re not.
6. Non-profits including all levels of government.
Number 6 is the retrain after lunch bunch.
I was a security manager, to include information security, for the DoD for several years. The DoD has come a long way, more than the rest of the federal government. Still, transitioning legacy systems was never quick or easy – until jus a couple years ago the payroll system still relied on an old mainframe that timecard keepers had to telnet into to in order to manually enter everyone’s data.
Updating these systems has taken decades and billions of dollars. That’s simply the way the federal bureaucracy works in the vast majority of cases.
Homeland Security is in a particularly tough position – it’s a department that was cobbled together from other departments and agencies and each brought their own legacy systems to it. So everything there is probably twice as hard (and expensive) as the DoD, which is already the poster-child for procurement incompetence.
It’s not going to get any better at DHS.
That’s what I think. Heck, they’re still using XP systems in places.
But that’s the very nature of government procurement and I can’t see the Congress writing blank checks to improve security. That’s why they should either be thinking low tech or distribution and diversification.
That highlights something I’ve been trying to explain to people for years. The value of existing systems is grossly overestimated. They could probably have replaced that system, software and all, for less than the cost of maintenance.
This is an issue that is going to become much more aggravated quickly. Most existing systems and software will soon have little or no salvage value.
The payroll system is a good example. It was replaced with a web-based system. Now, each employee enters timecard data. That data is electronically approved by the supervisor. The timekeeper then approves and it gets sent to the pay center for processing and dispersal.
With the mainframe/telnet system, the timekeeper would have to spend hours manually entering data from paper timesheets. Needless to say, there were a lot of errors. The timekeeper also does the quarterly audits and those are now much easier and more accurate with a modern centralized system.
The savings in labor alone is huge. But that system was, according to my timekeeper, in development for almost a decade and had to go through several iterations on the way.