IG: Homeland Security system flaws stymie ability to secure cyberspace

A federal inspection has uncovered weaknesses in Homeland Security Department systems that house information regarding critical U.S. networks.

In the United States, DHS is responsible for securing cyberspace. The June review, which was distributed in redacted form late Wednesday, examined the safeguards for two department systems that contain sensitive data about vital U.S. networks and infrastructure.

Specifically, the "protected critical infrastructure information," or PCII, systems store security reviews of critical, nonfederal networks and structures that companies and local governments voluntarily supply. Ordinarily, the information would not be accessible to federal authorities. Officials at all levels of government read the information to learn how to better secure the nation's critical infrastructure.

"Configuration and account access vulnerabilities identified on the [two] systems must be mitigated to manage and secure the systems and PCII data from the risks associated with internal and external threats, unauthorized access and misuse," Frank W. Deffer, assistant inspector general for information technology audits, wrote in the report.

In one of the systems, called the Automated Critical Asset Management System, auditors found "significant" access and setup flaws. "System configuration and account access control deficiencies may put ACAMS and its PCII data at significant risk of inappropriate access, disclosure and misuse," Deffer wrote.

Most of the technological weaknesses were blacked out in the report.

The IG also discovered personnel were granted excessive access to restricted systems.

More than 80 percent of ACAMS users should have had their login accounts deactivated because they had not needed to use the system for more than a month and a half. "DHS requires that accounts be deactivated after 45 days of inactivity to restrict access to sensitive information and minimize the potential for system misuse," Deffer reported.

In addition, the inspector general found that Homeland Security has not adhered to several strategic plans for carrying out its cyber duties. For example, DHS "has not developed objective, quantifiable performance measures to determine whether it is meeting its mission to secure cyberspace and protect critical infrastructures," Deffer stated.

He did praise the agency's outreach campaigns to raise cybersecurity awareness nationwide, however, as well as efforts to exchange tips with network operators worldwide.

"To prepare for, prevent and respond to catastrophic incidents that could degrade or overwhelm critical infrastructure and assets, [DHS] is working and sharing information with the public and private sectors, as well as international partners," Deffer wrote.

In responding to a draft report, Rand Beers, undersecretary for DHS' National Protection and Programs Directorate, wrote, "As NPPD works toward enhancing its programs, the OIG's independent analysis of program performance greatly benefits our ability to refine and improve our activities."

On Thursday, Homeland Security officials said the department continues to refine its responsibilities, priorities and goals to address OIG recommendations in a cost-efficient manner.

DHS has an online system, which was deployed in 2009, that allows the department to train and track personnel authorized to handle PCII, officials said. The tool makes it easier for the DHS to protect and, when permissible, share the information with other federal and state agencies.