A government watchdog’s audit of the U.S. Department of Homeland Security’s computer systems has detected dozens of serious vulnerabilities that made their data potentially prone to hackers.
Conducted by the agency’s Office of Inspector General and discussed in a report published Wednesday, “Evaluation of DHS’ Information Security Program for Fiscal Year 2017,” the audit concluded that DHS “could protect its information and systems more fully and effectively.”
DHS “did not implement all configuration settings required to protect component systems, continued using unsupported operating systems and did not apply security patches timely to mitigate critical and high-risk security vulnerabilities on selected systems,” the inspector general wrote.
“Until DHS overcomes challenges to addressing its systemic information security weaknesses, it will remain unable to ensure that its information systems adequately protect the sensitive data they store and process,” the report said.
Among the specific issues revealed by the audit was the government’s repeated use of outdated and discontinued hardware and software — a practice contrary to an executive order signed by President Trump in May that advised agencies to avoid products no longer subject to security updates, the inspector general noted.
DHS, the Coast Guard and the Secret Service each used unsupported versions of the Microsoft Windows Server 2003 at time time of the audit, the inspector general wrote, notwithstanding the manufacturer ending security updates and technical support for that product in July 2015.
In other instances the audit identified computer systems that were significantly newer but vulnerable nonetheless.
“Windows 2008 and 2012 operating systems were missing security patches for Oracle Java, an unsupported version of Internet Explorer, and a vulnerable version of Microsoft’s Sidebar and Gadgets applications,” the report said. “Some of the missing security patches dated back to July 2013.”
“Several Windows 8.1 and Windows 7 workstations were missing key security patches, including those to protect against WannaCry ransomware that infected tens of thousands of computers in over 150 countries in May 2017,” the inspector general added. “Other examples of missing patches include those associated with internet browsers such as Mozilla and Firefox, and media players such as Flash player and Adobe Shockwave. We identified additional Adobe Acrobat vulnerabilities on these workstations as well.”
A vulnerability assessment of DHS computers altogether uncovered 13 distinct bugs ranked as “critical” and 27 described as “high-risk,” the report said.
“Successful exploitation of critical and high-risk vulnerabilities may take the form of remote code execution, unauthorized modification or disclosure of information or possible escalation of access rights and privileges. Such exploitation can result in significant data loss and system disruption, which hampers mission-critical DHS operations,” the report warned.
“DHS cited a lack of qualified security engineers from the overall labor market as the foremost reason for components failing,” the inspector general wrote. “DHS indicated this constraint may continue until cybersecurity becomes a common skill-set across the Nation.”
The inspector general provided five recommendations to the DHS aimed at securing its computer systems, and the department concurred with all each and will take steps to implement them, according to the report.
DHS is “closely reviewing the final report to ensure best practices continue, and that we are prepared to immediately address future challenges,” an agency spokesperson told The Washington Times.
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.