We have been hearing a lot more lately about government watchdog agencies called the Offices of Inspector General. Every federal department has one. They didn’t get a lot of attention under the Obama Administration, but President Trump has been keeping them jumping.
The Office of Inspector General for the Department of Homeland Security just released a report that says the federal department “in charge of protecting the nation’s cybersecurity” hasn’t been protecting their own systems.
The report is called “Evaluation of DHS’ Information Security Program for Fiscal Year 2017.” As a report card, it tells the public that DHS just got a few ‘F’s’ on protecting classified intelligence.
The marks are so bad it makes one wonder if Obama didn’t somehow do this on purpose.
Divided into sections of “Identify, Protect, Detect, Respond, and Recover,” DHS didn’t do so good in the categories of protecting, identifying, or responding.
A significant number of national security data systems storing every grade of information from unclassified to the highest grade of “top secret” were using obsolete operating systems that haven’t been supported with patches for years.
It’s no wonder that the Trump administration’s Chief Information Officer for DHS resigned only three months after he started. He wasn’t about to get caught holding the bag.
When President Trump signed an executive order addressing cybersecurity by requiring “all federal agencies to audit their systems for vulnerabilities,” Richard Staropoli looked around at the gear being used at DHS headquarters, threw up his hands in disgust, and walked out the door.
Serious vulnerabilities “expose DHS data to unnecessary risks,” OIG investigators report. There was a lot more the agency could be doing to defend its systems “more fully and effectively.”
OIG investigators found 64 separate machines on the department’s network were “vulnerable” to attack. They “lacked the authority to operate,” which means they weren’t supposed to be used but were used anyway.
A significant number of those machines are dedicated to national security-related matters and contain “highly sensitive classified information.”
It wouldn’t take the Russians or the North Korean’s more than a few minutes to hack and crack their way in if they wanted to. A twelve-year-old could probably do it in a week.
The goal that the department set for itself was a lot like those new year’s resolutions to lose weight that everyone ignores long before Groundhog Day.
They vowed to maintain all “high-value systems with the correct security updates, patches, and approved configurations to prevent data leaks or breaches.”
Not only was the server at Homeland Security headquarters a swiss cheese of security holes, the Coast Guard and the Secret Service were just as bad. All three were “still running Windows Server 2003.”
“None of the servers had received security patches since July 2015 when Microsoft stopped supporting the operating system.” Your toaster is probably better defended on the internet.
Even the ones running versions of Windows at least supported by updates were wide open to attack.
Five DHS machines were missing patches; two had not been updated since July of 2013 and all of the five could have been hijacked by the WannaCry ransomware that crippled businesses worldwide last year.
“Several Windows 8.1 and Windows 7 workstations were missing key security patches, including those to protect against WannaCry ransomware that infected tens of thousands of computers in over 150 countries in May 2017.”
“Windows 2008 and 2012 operating systems were missing security patches for Oracle Java, an unsupported version of Internet Explorer, and a vulnerable version of Microsoft’s Sidebar and Gadgets applications,” the report states.
Somehow, Homeland Security’s cyber-alert team was able to issue an alert about the “dangerous consequences when using software that would no longer receive patches,” and still look themselves in the mirror shaving every day for more than a year.
The IG’s report didn’t divulge which sub-departments within Homeland Security kept classified information on insecure servers, but it did relate that the federal emergency response agency FEMA, “had 15 unclassified systems that lost their authority to operate.”
Homeland Security HQ came in second on the list with seven “vulnerable unclassified systems.”
Homeland Security says one of their biggest challenges is finding qualified people in the first place.
“A lack of qualified security engineers from the overall labor market” is blamed as “the foremost reason for components failing to meet its SA metric.”
DHS has ads running offering jobs to “qualified security experts” but they have no idea what skills are possessed by the employees they already have.
“DHS has not assessed the knowledge, skills, and abilities of its cyber workforce.”
“Lacking such an assessment, DHS cannot assure that its employees possess the knowledge and skills necessary to perform their various job functions, or that qualified personnel are hired to fill cybersecurity-related positions.”
Homeland Security acknowledged in the official report, “that it concurred with the inspector general’s findings.” They promise to be using up to date equipment and software with all the right patches and even have it configured correctly, by “late September.”