While the Department of Homeland Security has made gains in strengthening its internal cybersecurity and technology best practices, it continues to suffer from serious vulnerabilities, according to a new report from the DHS inspector general. DHS cyber security policies continue to fail far below acceptable standards, even as the agency acts as the government lead.
Among the dirty laundry list of security problems are are inadequate authentication, failure to properly track its information systems, and using outdated software.
“We identified a number of issues that DHS needs to address to strengthen its security posture,” the report stated. “For example, we determined that components are not satisfying all of the Department’s information security policies, procedures, and practices.”
In particular, DHS came up short on its plan of action and milestones (POA&M) management, system security authorization and consolidation of external network connections, the report said. Plus, components have not been implemented for all system configurations in accordance with DHS policies and procedures.
Also, for a least a year the DHS has not had a management program for tracking security vulnerabilities in classified systems.
“DHS does not monitor the adequacy of the POA&Ms for its ‘Top Secret’ systems,” the report noted. “As a result, DHS cannot ensure that POA&Ms have been created to mitigate the security vulnerabilities identified on its ‘Top Secret’ systems and ensure they are managed in accordance with DHS’ policies and procedures.”
This isn’t the first time DHS has been criticized for failing to meet minimum security standards. The agency, which is responsible for a large portion of the federal government’s security programs, has been previously criticized by members of Congress and the IG for failing on standard requirements like patching, authentication standards and control of external systems.
The latest report drew the ire of Senator Tom Coburn (R-Okla.), ranking member of the Senate Homeland Security and Governmental Affairs Committee, who chastised the DHS in a statement.
“This report shows major gaps in DHS’s own cybersecurity, including some of the most basic protections that would be obvious to any 13-year-old with a laptop,” said Coburn. “DHS doesn’t use strong authentication. It relies on antiquated software that’s full of holes. Its components don’t report security incidents when they should. They don’t keep track of weaknesses when they’re found, and they don’t fix them in time to make a difference.”
Coburn added DHS and other agencies should at least exercise the same cybersecurity practices the private sector uses to protect the nation’s critical infrastructure from cyber attacks.
