TSA and Inspectors Tussle Over Redactions in JFK Tech Audit

An internal watchdog is calling for the Transportation Security Administration -- for the third time -- to make public portions of an audit on computer security at JFK Airport. But TSA maintains that all of the information is too national security-sensitive to release.

Released Jan. 23 with redactions, the Department of Homeland Security inspector general review found numerous cyber gaps, most having to do with hazardous climates in computer rooms and missing fire protection systems. 

JFK typically is the sixth-busiest airport in the country, except on winter weather days like today, when an expected blizzard has grounded jets.

TSA's stonewalling delayed publication of the report for two months. On Oct. 20, 2014, department officials first notified DHS IG John Roth that certain parts of the report should be marked black. Roth twice objected to this suggestion in written letters. Each request was greeted by DHS with radio silence. 

In a cover letter accompanying the final audit, Roth said, "The procedural history of this report elicits an unfortunate commentary on the manner in which the department handled this matter and bears review . . .I believe that this report should be released in its entirety in the public domain." 

Such alleged secrecy has been flagged in the past. Concerned about TSA dragging its feet on redactions, lawmakers told DHS to mandate that the agency respond in a timely fashion. It's not clear whether TSA wanted the JFK information removed to guard against terrorism or to guard the agency's reputation. 

Government Calls for More Transparency from TSA

The unique part about this case is the demand for candor comes from inside the government.

“What’s remarkable here is that the call for greater disclosure is not coming from pro-transparency advocacy groups," said Steven Aftergood, director of a project on government secrecy at the Federation of American Scientists. "It’s coming from the agency inspector general in the name of improved oversight. It’s a message that has to be taken seriously, by TSA itself and by Congress." 

Some lawmakers immediately pressed TSA to reverse its decision to black out information. 

"Unfortunately, government agencies have all too often overclassified material under the pretext of security in order to sweep negative or embarrassing information under the rug," Rep. Bennie Thompson, D-Miss., said in a statement Friday. "I hope that the acting administrator promptly reviews the decision to classify portions of the report and reverses this decision.”

Roth said the redactions cover up "nonspecific vulnerabilities that are common to virtually all systems and would not be detrimental to transportation security." Plus, similar information has been published in past watchdog reviews, and Immigration and Customs Enforcement revealed comparable information in the new report. 

For example, Roth said, on one partially redacted page, "we display a picture of TSA equipment in a corridor accessible by unsecured double doors to public area prior to TSA terminal security checkpoint," and "this is a picture of IT equipment similar to the IT equipment pictured in figures 4, 5 and 6 of our draft report, yet [TSA] did not mark those figures . . . This risk can be controlled and eliminated by TSA simply securing the terminal corridor from unauthorized access."

TSA has over-redacted information in recent years. Agency officials in a July 3, 2013, contract award notice did not disclose the mission that the newly acquired “mission scheduling and notification system,” or MSNS, would support. But the mission, the Federal Air Marshal Service, is easy to see on a public government website intended to provide transparency into federal spending. 

Smoke Detectors. Who Needs ‘Em?

The unredacted parts of the JFK audit note the absence of physical security protections in numerous server rooms and communication closets. Also, TSA has not updated server software with bug fixes or put in place safeguards for closed-circuit television cameras. 

"Since the JFK cameras and surveillance system have not undergone the required security and privacy reviews, vulnerabilities may exist that may put this information at risk, and lead to violations of U.S. privacy laws and DHS policy," Roth said. 

TSA did not have any devices to measure humidity in the 21 computer rooms inspectors visited. More than half -- 13 -- did not have smoke detectors. Nearly all the rooms were not verified to be within acceptable temperature ranges. The facilities either didn't have thermometers or were outside the cooling bounds. 

"These deficiencies place at risk the confidentiality, integrity and availability of the data stored, transmitted and processed by TSA at JFK," Roth said.

Five Customs and Border Protection computer rooms were at temperatures higher than allowed. In 2012, inspectors found similar heat problems at O'Hare International Airport in Chicago. 

On Monday, DHS officials told Nextgov the department will act on the security holes identified, but will not lift the lid on sensitive data it is "bound" by law to protect. The decision to withhold information took into account "DHS’ commitments to transparency and the public’s right to know," officials said. 

In an emailed statement, DHS spokeswoman Ginette Magana said, "Ensuring the security and integrity of our information technology systems that support our wide-ranging missions to protect the homeland is a high priority for DHS."

As a start, "the department has already implemented corrective actions to include: resolving existing system vulnerabilities; securing IT equipment from unauthorized access; and ensuring that environmental controls for the facility are established, documented, and implemented to provide needed protection," she added. 

Industry trade group Airlines for America said Monday evening it had not had a chance to review the report.