Created to safeguard the nation, the Department of Homeland Security is instead having difficulty ensuring its own computers are protected from hacking and cybersecurity breaches, a new report says.
Agency plans, policies and systems aren’t being updated to reflect the most recent threats, a potentially devastating misstep in the ever-evolving world of online security where new threats can pop up overnight, said the agency’s inspector general.
Some DHS cybersecurity guidelines date back to 2008, and “baseline security configuration settings are not being implemented for all systems,” investigators said.
In addition, 47 systems are being used without “authority to operate” certificates that ensure the most up-to-date security protocols are in place. Of those, 17 are systems that handle classified secret data.
“This report shows major gaps in DHS‘ own cybersecurity, including some of the most basic protections that would be obvious to any 13-year-old with a laptop,” said Sen. Tom Coburn of Oklahoma, the top Republican on the Homeland Security and Governmental Affairs Committee.
“DHS doesn’t use strong authentication,” he said. “It relies on antiquated software that’s full of holes. Its components don’t report security incidents when they should. They don’t keep track of weaknesses when they’re found, and they don’t fix them in time to make a difference.”
The number of cybersecurity incidents at DHS has risen 17 percent over the past year, data shows, and attacks by more advanced malicious software have risen 134 percent since 2010.
The agency doesn’t track what information is being stored in public clouds, inspectors said. Plus, DHS has 67 external Internet connections that could be potential gateways for hackers to get in.
The severity of security breaches depends on the nature of the information compromised, said Paul Rosenzweig, a homeland security analyst at the Heritage Foundation, a conservative think tank.
“If it’s the system that contains all of yours and mine flight information, then I’m a little more concerned than if it’s the system they use to buy water bottles for the [airport] screeners,” said Mr. Rosenzweig, a former DHS official.
What’s perhaps more troubling, he said, is the government’s inability to get its own affairs in order and the evidence of the difficulties federal agencies have in procuring IT services and equipment.
“We have not managed to match our means of purchasing computer cybersecurity systems to the dynamic, ever-changing environment that is the cyberspace,” Mr. Rosenzweig said.
Officials at Homeland Security said they are working to shore up the agency’s vulnerabilities.
“DHS has also taken actions to address the administration’s cybersecurity priorities, which included implementation of trusted Internet connections, continuous monitoring of the department’s information systems and data that support the DHS mission,” a response from the agency said.