IG: DHS Struggles to Manage PrivacyReport Says Those Without 'Need to Know' Gain Access to PII
The Department of Homeland Security continues to struggle in protecting personally identifiable information and developing integrated, cost-effective and secure systems management policies, the DHS inspector general reports in an annual assessment of the department's performance.
In its new report, which was required by federal law, the IG says DHS failed to ensure it had uniform procedures to implement privacy policies and controls to integrate privacy protections for each process, program and information system that affects sensitive PII and protected information.
"DHS did not take appropriate steps to identify and mitigate physical risks to the security and confidentiality of records," Inspector General John Roth says in the report. "We observed instances in which passwords, sensitive IT information - such as server names or IP addresses, unsecured or unlocked credit cards and laptops and printed materials marked 'For Official Use Only' or containing sensitive PII could be accessed by individuals without a 'need to know'."
Philip Reitinger, former DHS deputy undersecretary for cybersecurity, says the problems the IG details in the report about securing sensitive information that could be exposed in a breach are not unique to Homeland Security. "If you look hard you can find problems in any large and diverse organization - people are involved," says Reitinger, the former Sony CISO who now runs his own IT security consultancy. "What matters is how you address the issues."
Struggle to Share Cyberthreat Information
And the IG says DHS must do a better job addressing the situation.
Roth says the National Protection and Programs Directorate - the DHS unit responsible for securing civilian agencies' IT and collaborating on cybersecurity among government agencies and with the private sector - continues to struggle in sharing and integrating cyberthreat information among five federal cyber-operations centers and collaborating with them to respond to cybersecurity incidents.
Cyber-operations centers did not have a common incident management system to track, update, share and coordinate cyber information, the report says. NPPD and the cyber-operations centers also did not have a standardized set of categories for reporting cybersecurity incidents, according to the report. "Without these," Roth says, "NPPD and the centers continued to be challenged in sharing cyber-incident information and coordinating an effective response."
Jim Crumpacker, DHS's liaison with the IG, says the department is taking steps to address those challenges. In a written response to the report, he cites revised federal incident notification guidelines issued last month by NPPD's Office of Cybersecurity and Communications that should provide clear instructions for submitting incident notification to DHS's United States Computer Emergency Readiness Team.
DHS's Revised Guidelines
"The revised guidelines have been shared with federal agencies as well as state, local, tribal and territorial governments; private-sector information sharing and analyses centers; foreign governments and private-sector organizations," Crumpacker says. "These guidelines support U.S.-CERT in executing mission objectives and result in better quality of information, improved information sharing and situational awareness and faster incident response times."
The IG acknowledges that DHS is taking action to better coordinate and share vital cyberthreat information with the five federal cyber-operations centers, including establishing partnerships with other centers to coordinate effective responses to cyber-incidents and increasing interagency collaboration and communications through liaisons and regular meetings.
"However," Roth says, "DHS must procure cybertools and technologies and develop a standard set of cyber-incident reporting categories to use with its operations center partners. DHS must also ensure its contractors have adequate controls in place to protect PII."
The IG did not make any recommendations, but did provide examples of DHS's struggles in maintaining employee privacy. For instance, the IG points out that a contractor informed the department earlier this year that a breach might have exposed the background check records of about 25,000 DHS employees. Though it didn't mention the contractor by name, the IG was referring to a breach hitting U.S. Investigation Services, which conducted security-clearance background checks on government workers and contractors.