DHS watchdog: Secret Service IT security is in shambles
The U.S. Secret Service’s IT is in disarray, and security and access controls are so poor that sensitive information is at risk to potentially malicious insiders, according to independent auditors.
According to a report out Friday from the Department of Homeland Security’s inspector general, the Secret Service — the lead federal agency charged with combatting financial cybercrimes — relied on a mainframe computer and software dating back to 1984 until last year. Additionally, many of its IT policies and plans were more than a decade old.
The agency says it has already addressed many of the issues found by auditors. Spokeswoman Cathy Milhoan said in a statement to CyberScoop that the agency would continue to work “to improve the oversight and management of its IT systems to ensure that the information with which it is entrusted is properly protected and secured.”
The audit “uncovered a myriad of problems with Secret Service’s IT management including inadequate system security plans, systems with expired authorities to operate, inadequate access and audit controls, noncompliance with logical access requirements, inadequate privacy protections, and over-retention of records,” the inspector general said in a statement.
The fieldwork for the audit was done a year ago, following the inspector general’s earlier probe of how nearly four dozen agency staff accessed confidential personal information of Rep. Jason Chaffetz, R-Utah, chairman of the House Committee on Oversight and Government Reform. The employees found the information by looking at his job application from 2003.
The latest report notes that fewer than one percent of Secret Service staff with standard computer access were using their Personal Identity Verification, or PIV, encrypted smartcards to logon — although that’s been a requirement of federal policy since 2004.
Even among privileged computer users, like senior managers and IT system administrators, nearly three percent weren’t using their PIV cards. 100 percent PIV-card compliance for privileged users was one of the objectives of the Obama administration’s cybersecurity sprint last year. The agency says PIV card use was made mandatory in June.
One of the reasons given by Secret Service officials for the delay, the report states, was “compatibility issues with older IT systems hindered PIV implementation.”
That’s easy to believe, given that the service used a mainframe computer until July 2015, with a single application built in 1984 — the Master Control Index — that contained the majority of all the agency’s data.
The report additionally states the service’s privacy officer — in contravention of DHS policy — did not report directly to the agency chief, and spent about half their time working on Freedom of Information Act issues.
“The lack of a full-time, dedicated USSS Privacy Officer reporting directly to the USSS Director increased the likelihood that privacy requirements would continue to not be fully addressed,” the report states.
Auditors said the root cause of these failures was simple: IT management was not a priority. “The Secret Service CIO’s Office lacked authority, inadequate attention was given to updating IT policies, and Secret Service personnel were not given adequate training regarding IT security and privacy.”
“Today’s report reveals unacceptable vulnerabilities in Secret Service’s systems,” said Inspector General John Roth. “While Secret Service initiated IT improvements late last year, until those changes are fully made and today’s recommendations implemented, the potential for another incident like that involving Chairman Chaffetz’ personal information remains.”
Chaffetz himself, in a statement circulated to reporters, called for the agency to be stripped of its lead responsibility for financial cybercrime-fighting, saying it had proved unworthy of the responsibility.
“The Secret Service believes they have a core mission to protect the nation’s financial infrastructure from cyber related crimes, yet can’t keep their own systems secure. … The loss or theft of law enforcement sensitive information is disastrous and jeopardizes witnesses involved in criminal cases or the identities of undercover officers, or worse.”