DHS insider hacking case reveals serious network security vulnerabilities

Suspected employees were on paid leave for a year; despite findings, no criminal charges were filed.

Recent interviews with current and former personnel involved in a 2008 federal investigation into hacking and other network abuse at an immigration application processing center in Texas portray an out-of-control information technology office at a key Homeland Security Department agency. The vulnerabilities exposed by the year-long probe raise troubling questions about the agency's ability to police insider threats and employee and contractor access to critical government networks.

Poor supervision and an unqualified workforce at the U.S. Citizenship and Immigration Services facility fostered an environment that allowed gross security vulnerabilities and workplace bullying, current and former staff said. The Texas Service Center is one of four regional facilities that handle immigration-related petitions and applications for USCIS, an agency that has been prone to insider attacks. The sensitive data the office manages is particularly attractive to identity thieves who traffic in false documents; the data's compromise could create opportunities for human smugglers, terrorists and other criminals.

In 2008, the DHS inspector general found that skilled staffers knowingly created vulnerabilities, although their motives are not entirely clear from the documents obtained. Today, some employees contend network weaknesses and unqualified or incompetent technicians remain a problem.

While probing the Texas Service Center's computers to find the origins of an illicit email, agency IT analysts documented unrelated misconduct as well as more serious compromises of system security that prompted the departmental IG investigation, the officials said. Former USCIS personnel believe that among the violations a small number of center specialists read management-level emails by cracking into systems.

The yearlong IG probe confirmed major security breaches but was not able to attribute them to specific individuals, those interviewed said. The Justice Department decided not to prosecute the subjects of the investigation for reasons that were redacted in a copy of the report reviewed by Nextgov.

The investigation, which contains more than a 100 pages of interviews, network analyses and internal emails, lists 17 subjects, all of whom were IT specialists and some of whom were employed by General Dynamics under contract to the agency.

Management Issues

As troubling as the security violations were, the agency's handling of the case raises additional concerns about USCIS leadership and stewardship of taxpayer dollars. Federal employees were placed on paid leave, some for more than a year, and while at least three were punished for misconduct, none were fired. In contrast, General Dynamics completed its own review within weeks, firing some employees and exonerating others, according to people familiar with the investigation.

Company spokesman Mark Meudt declined to answer questions about disciplinary actions, citing privacy restrictions.

USCIS Press Secretary Christopher Bentley said in a statement, "USCIS is committed to ensuring that our internal IT systems meet the highest security levels. We are equally committed to providing full due process to our employees regarding personnel actions consistent with merit system principles."

He declined to comment on the amount of money the agency paid staff on administrative leave during the investigation or describe how the workload was handled in their absence.

Said one federal employee who worked at the Texas facility during the episode: "At the end of the investigation, there were no criminal charges against anyone . . . After returning to work, being cleared of all charges, and suffering the humiliation and stigma of being crooked, these [IT specialists] could not go in the server room unescorted."

After the investigation, an onsite manager was sentenced to a 30-day suspension and demoted from GS-14 supervisory IT specialist to IT specialist at the GS-13 level. The supervisor failed to report that one of her subordinates "was collecting passwords for all servers and other equipment and making 3 copies on a CD-ROM," then Acting Deputy CIO Leslie Hope wrote in an internal memo obtained by Nextgov. She noted that the manager also neglected to report that another staffer planned to provide diagrams of an office local area network to a person not authorized to possess such sensitive information.

In addition, the manager was accused of lying during the investigation. "You falsely stated that you were not aware there was a CD-ROM which contained administrative logins and passwords and that you had never heard of it," Hope wrote.

"Your acceptance of security breaches as common practice violated the DHS Rules of Behavior, DHS Sensitive Systems Handbook and other management directives," she added. "Your failure to accept responsibility for your inactions suggests that you cannot perform your duties and responsibilities in accordance with DHS policies. I have lost trust in your ability to manage an IT department in USCIS."

The supervisor, who continues to work at the agency, was not authorized to speak about the matter.

"Clearly this was a section that had gone off the reservation a long time ago," said one official who worked at USCIS during the investigation. "They gradually rationalized small wrongdoings that led to a complete breakdown of IT controls. . . I think someone took advantage of the breakdown."

Many of the center's specialists lacked the skills and experience necessary to operate and secure the network, several USCIS employees said. The absence of qualified personnel at the Texas Service Center seems to have dated back years. In 2006, an employee attempting to fix an internal server that had stopped working accidentally opened the system to internal and external attacks. "Anyone on the local network had full access to the entire C: drive," a longtime employee said. "Anyone dialing in from the outside could gain access to the server if they knew how to bypass a dial-up login on a [remote access server] -- which shouldn't be too hard to do."

USCIS churned through three chief information officers over five years and the IT shop never gained enough stability to resolve such entrenched challenges, both employees and officials said. In DHS' 2007 annual financial report, then-Secretary Michael Chertoff cited the office of the USCIS CIO as one of a few departmental "material weaknesses."

One specialist implicated in the investigation was ordered by a supervisor to provide a system administration username and password to non-IT personnel that allowed them to download software to government computers, according to former staffers. Federal policy prohibits the unauthorized release of such passwords. The accused employee, who still works for the agency, was not permitted to comment.

The specialist admitted that distributing the codes was "against every security practice that [I] have been trained on," Hope wrote. She signed several of the disciplinary letters related to the investigation. As a result of following the orders, the employee was dealt a three-day suspension for improper conduct. When the employee asked the union for help overturning the charge, the union responded in a letter, obtained by Nextgov, that stated, "Never trust a supervisor." The specialist did not take the case to arbitration.

Nearly three years after the investigation, resentment and suspicion color the IT operations at the facility. Some federal employees said the stain from the probe has hampered their ability to find jobs elsewhere or gain promotions at the Texas Service Center, despite subsequently garnering accolades for stellar performance, in one case.

Federal employees there in 2008 said they believe a new team of IT superiors, which included then-CIO Jeff Conklin, were determined to get rid of the established workforce. By searching through employee emails for wrongdoing, USCIS officials were "stacking charges" to fire the existing staff, said Jerry Armstrong, the father of one of the accused IT specialists. Hope handed his son a 30-day suspension, downgrading an earlier proposal for termination from a division chief, according to a memo. Agency officials declined to make Hope or Conklin, who was reassigned to another DHS unit before the end of the IG investigation, available for comment.

Initially, Armstrong's son was charged with improper conduct based on findings that he, among other things, emailed passwords without protecting the sensitive data, compromised network security by providing system diagrams to an unauthorized individual, failed to report network security violations and did not report missing network equipment. He also sent "racist, defamatory, obscene and/or sexist messages," Hope wrote.

The accused employee, who still works for the agency, could not comment on the matter. The father said his opinions were his alone.

"As soon as I confronted the government with these security violations, they dropped them all," said Armstrong, a former chief patrol agent for the U.S. Border Patrol who said he handled disciplinary actions there. "I'm not saying [my son] was totally innocent of everything. But the mistakes were not near as serious as the government made them out to be." The unprotected passwords were nonsensitive, temporary codes. And the accused employee gave system diagrams to his former supervisor, who had been placed in charge of special projects and was authorized to see the information, the father claimed.

But "[my son] did deserve a disciplinary action, and I'd be the first to tell you that," he added. The son e-mailed sexually explicit messages and arguably racist cartoons. The government ultimately abandoned all charges and replaced them with a 30-day suspension for using inappropriate language in emails. "Since that time, [my son] is back and he's very good at his job," the father said.

The probe started in January 2008 after senior USCIS officials received an email with the subject head "Mad in Texas" that complained about Ken McGowan, who had recently retired from the Army as a sergeant major and was hired as an IT systems engineering specialist at the Texas center. The message, viewed by Nextgov, said McGowan's goal was to eliminate the existing federal staff. Former officials said the content of the message, while unprofessional, did not break any rules, but the manner in which it was transmitted was a federal security no-no. The file properties showed the sender disguised his or her identity using a government computer on the USCIS network on government time to access an external email system. Shortly after the message circulated, USCIS officials requested the IG investigation.

Insider Threat History

USCIS has had its fair share of renegade insiders intent on doctoring immigration records. This spring, Justice officials announced the sentencing of a former agency contractor to five and a half years in jail for manipulating personal data to help illegal immigrants obtain passports. The DHS inspector general earlier this year reported that internal computer fraud could become a greater risk because security requirements for a $2.4 billion project to automate USCIS casework overlooked insider threats.

According to an interview documented in the 2008 IG case, a few federal IT specialists had acquired prohibited permissions for reading other center employees' emails -- domain authorizations dubbed "God rights."

Kevin M Tinker, president of the local union representing the USCIS workers, said his members did not engage in any email intrusions. In fact, he added, they were the victims of unauthorized surveillance.

"My members had been complaining that someone had been hacking into their accounts," Tinker said. Former officials said the hacking was authorized. Internal IT security staff performing a USCIS investigation ordered an examination of some of the employees' computers because there were indications they had been used for unauthorized purposes.

One former specialist, who became unemployed when his temporary federal assignment expired during the investigation, confirmed his colleagues were angry about the way McGowan treated them. The employee noted that IG investigators neglected to question anyone about a climate of fear, intimidation and retaliation that emerged after McGowan arrived.

Conklin tapped McGowan after meeting the veteran at a government-sponsored Hiring Heroes career fair at Fort Sam Houston, Texas, according to Phillip Helslander, an attorney representing McGowan in several employment matters. McGowan, a reservist activated for the Iraq war, became eligible for the special hiring program upon his release from active duty. His prior civilian work experience had included advanced engineering on a type of remote access system that had been creating extreme difficulties for the Texas facility. Under the special program, Conklin had direct authority to hire a veteran to address the problem, so he employed McGowan, Helslander said.

McGowan, who has since been moved to another USCIS position, was not available for comment.

Helslander said McGowan was sent to Texas to correct a situation where federal employees were abdicating their responsibilities. Much of the animosity toward McGowan likely stemmed from employees who were unhappy about now having to actually work, he said. Meanwhile, McGowan was frustrated in his attempts to train the existing staff. The retired sergeant major -- "a no-nonsense individual" -- came in to take charge and expected cooperation, Helslander said.

NEXT STORY: Caution: Malware ahead

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.