Created to safeguard the nation, the Department of Homeland Security is instead having difficulty ensuring its own computers are protected from hacking and cybersecurity breaches, a new report says.
Agency plans, policies and systems aren’t being updated to reflect the most recent threats, a potentially devastating misstep in the ever-evolving world of online security where new threats can pop up overnight, said the agency’s inspector general.
Some DHS cybersecurity guidelines date back to 2008, and “baseline security configuration settings are not being implemented for all systems,” investigators said.
In addition, 47 systems are being used without “authority to operate” certificates that ensure the most up-to-date security protocols are in place. Of those, 17 are systems that handle classified secret data.
“This report shows major gaps in DHS’ own cybersecurity, including some of the most basic protections that would be obvious to any 13-year-old with a laptop,” said Sen. Tom Coburn of Oklahoma, the top Republican on the Homeland Security and Governmental Affairs Committee.
“DHS doesn’t use strong authentication,” he said. “It relies on antiquated software that’s full of holes. Its components don’t report security incidents when they should. They don’t keep track of weaknesses when they’re found, and they don’t fix them in time to make a difference.”
The number of cybersecurity incidents at DHS has risen 17 percent over the past year, data shows, and attacks by more advanced malicious software have risen 134 percent since 2010.
While the department has made many improvements recently, the IG said, many weaknesses remain, including information stored outside DHS firewalls.
The agency doesn’t track what information is being stored in public clouds, inspectors said. Plus, DHS has 67 external Internet connections that could be potential gateways for hackers to get in.
The severity of security breaches depends on the nature of the information compromised, said Paul Rosenzweig, a homeland security analyst at the Heritage Foundation, a conservative think tank.
“If it’s the system that contains all of yours and mine flight information, then I’m a little more concerned than if it’s the system they use to buy water bottles for the [airport] screeners,” said Mr. Rosenzweig, a former DHS official.
What’s perhaps more troubling, he said, is the government’s inability to get its own affairs in order and the evidence of the difficulties federal agencies have in procuring IT services and equipment.
“We have not managed to match our means of purchasing computer cybersecurity systems to the dynamic, ever-changing environment that is the cyberspace,” Mr. Rosenzweig said.
Officials at Homeland Security said they are working to shore up the agency’s vulnerabilities.
“DHS has also taken actions to address the administration’s cybersecurity priorities, which included implementation of trusted Internet connections, continuous monitoring of the department’s information systems and data that support the DHS mission,” a response from the agency said.
IG officials agreed that the department had continued to “to improve and strengthen its information security program,” and had started to address issues raised in the most recent report.
Sen. Thomas R. Carper, Delaware Democrat and chairman of the homeland security committee, said the report “highlighted some very important areas in which DHS, like many other federal agencies, can and should improve.”
In November, the President’s Council of Advisors on Science and Technology released a report that found “the federal government rarely follows accepted best practices” when it comes to cybersecurity.
Some government computers are still using Windows XP as an operating system, the report found. The program is 12 years old and Windows announced that the company will stop supporting it next year. The president’s council wants all federal computers upgraded to more current software within two years.
Mr. Coburn said it was “inexcusable” for the government to waste billions of taxpayer dollars on IT improvements with little to show for it.
“The fact is the federal government’s classified and unclassified networks are dangerously insecure, putting at risk not only U.S. national security, but the nation’s critical infrastructure and vast amounts of our citizens’ personally identifiable information,” he said.
• Phillip Swarts can be reached at pswarts@washingtontimes.com.
Please read our comment policy before commenting.