Taxpayers might expect that the U.S. agency charged with warning the public about computer viruses and other cyberthreats - and coordinating the federal government’s response to them - would keep its own information technology systems up-to-date with the latest security patches and software updates.
They would be wrong.
According to a new report by government auditors, systems at the U.S. Computer Emergency Readiness Team (US-CERT), part of the Department of Homeland Security, were not maintained with updates and security patches in a timely fashion and as a result were riddled with vulnerabilities that hackers could exploit.
The report said the issue of inadequate and untimely patching had been raised by another review of the systems more than a year ago.
Homeland Security officials said the vulnerabilities have been fixed since the audit, and new procedures and equipment are in place to ensure the systems will be kept up to date.
The audit, conducted this year by the Homeland Security inspector general, scanned a number of different systems used by US-CERT with software designed to detect flaws or vulnerabilities. It found more than 670, of which 202 were classified as “high-risk” because of the severity of the damage an attacker could do to the system by exploiting them.
“The majority of the high-risk vulnerabilities involved application and operating system and security software patches that had not been deployed,” states the auditors’ report, published Wednesday.
The report noted that patches were “being applied manually” to US-CERT systems and “Issues concerning [the] patching process, first identified during an April 2009 National Security Agency review,” had not been addressed at the time of the audit.
Patches are packages of software code that update or fix computer programs. Software makers distribute them regularly to address flaws they find in their products or that become apparent because computer viruses or other malicious software designed to exploit them begins to spread on the Internet.
Manual application means that individual users or sometimes software engineers have to download and install every patch, rather than the computer automatically doing so for itself.
Computer security specialists say ensuring that every computer in a large network, such as those operated by the government or a major corporation, is updated with every patch for every program it runs is a huge headache for information technology departments, even those that use automated systems.
“Patch management doesn’t work,” said one former Homeland Security official who asked not to be identified because of the sensitive subject matter. “These problems exist on every network. … Ask any IT department in any large enterprise. … There is no network that is 100 percent patched. Eighty-five percent [of machines on the network being patched] is a good number.”
The auditors’ report did not provide a figure for the percentage of machines patched on the US-CERT networks it examined.
The auditors said that of four computer systems used at US-CERT, three - including the ones used to maintain the organization’s public website and compile data about the security of government computer networks - suffered from no significant vulnerabilities.
US-CERT is part of the National Cyber Security Division at Homeland Security. Its mission, according to its website, is to provide “response support and defense against cyber attacks for the Federal Civil Executive Branch (.gov) and … to disseminate reasoned and actionable cyber security information to the public.”
The former official said patch management and other software maintenance on US-CERT systems was not performed by US-CERT personnel but rather by staff from another part of the department. The former official called the arrangement “classic stovepiping.”
“It is a classic pothole of IT being segregated away from the mission-owner,” the former official said, referring to the management of US-CERT. Even in a computer security organization like US-CERT, the former official said, “IT management issues often fall towards the bottom of the to-do list. It is not sexy work.”
One private-sector IT security specialist, who asked for anonymity because he works with the federal government and did not want to jeopardize his relationships there, told The Washington Times in an e-mail that “This is a management/leadership issue.”
“I do know they’re way over-burdened there [at US-CERT] considering the mission they have but you have to take care of your own house,” especially because of US-CERT’s position as the focal point for warnings about new vulnerabilities and other cyberthreats, the specialist said.
News of the report would make the work of US-CERT harder because it would undermine the agency’s reputation among security professionals, the specialist said. “It’s a credibility issue, and you have to be on your ‘A’ game when it comes to setting the example.”
“It looks like they’re going to get a lot of attention within the department as a result of this [report],” the specialist added. “I honestly believe that they’re swamped with work, competing priorities and a huge mission. … That is why prioritization is essential.”
But the former official told The Times that making such problems public made it harder to prioritize computer security issues in a rational way. “Throwing it out there like that just adds to the governance issues.”
“The department has already taken action to fulfill the recommendations of this report,” Homeland Security spokeswoman Amy Kudwa said in a statement.
She said the department recently implemented “a software management tool that will automatically deploy operating system and application security patches and updates to mitigate current and future vulnerabilities.”