DHS insider hacking case reveals serious network security vulnerabilities

Suspected employees were on paid leave for a year; despite findings, no criminal charges were filed.

Recent interviews with current and former personnel involved in a 2008 federal investigation into hacking and other network abuse at an immigration application processing center in Texas portray an out-of-control information technology office at a key Homeland Security Department agency. The vulnerabilities exposed by the year-long probe raise troubling questions about the agency's ability to police insider threats and employee and contractor access to critical government networks.

Poor supervision and an unqualified workforce at the U.S. Citizenship and Immigration Services facility fostered an environment that allowed gross security vulnerabilities and workplace bullying, current and former staff said. The Texas Service Center is one of four regional facilities that handle immigration-related petitions and applications for USCIS, an agency that has been prone to insider attacks. The sensitive data the office manages is particularly attractive to identity thieves who traffic in false documents; the data's compromise could create opportunities for human smugglers, terrorists and other criminals.

In 2008, the DHS inspector general found that skilled staffers knowingly created vulnerabilities, although their motives are not entirely clear from the documents obtained. Today, some employees contend network weaknesses and unqualified or incompetent technicians remain a problem.

While probing the Texas Service Center's computers to find the origins of an illicit email, agency IT analysts documented unrelated misconduct as well as more serious compromises of system security that prompted the departmental IG investigation, the officials said. Former USCIS personnel believe that among the violations a small number of center specialists read management-level emails by cracking into systems.

The yearlong IG probe confirmed major security breaches but was not able to attribute them to specific individuals, those interviewed said. The Justice Department decided not to prosecute the subjects of the investigation for reasons that were redacted in a copy of the report reviewed by Nextgov.

The investigation, which contains more than a 100 pages of interviews, network analyses and internal emails, lists 17 subjects, all of whom were IT specialists and some of whom were employed by General Dynamics under contract to the agency.

Management Issues

As troubling as the security violations were, the agency's handling of the case raises additional concerns about USCIS leadership and stewardship of taxpayer dollars. Federal employees were placed on paid leave, some for more than a year, and while at least three were punished for misconduct, none were fired. In contrast, General Dynamics completed its own review within weeks, firing some employees and exonerating others, according to people familiar with the investigation.

Company spokesman Mark Meudt declined to answer questions about disciplinary actions, citing privacy restrictions.

USCIS Press Secretary Christopher Bentley said in a statement, "USCIS is committed to ensuring that our internal IT systems meet the highest security levels. We are equally committed to providing full due process to our employees regarding personnel actions consistent with merit system principles."

He declined to comment on the amount of money the agency paid staff on administrative leave during the investigation or describe how the workload was handled in their absence.

Said one federal employee who worked at the Texas facility during the episode: "At the end of the investigation, there were no criminal charges against anyone . . . After returning to work, being cleared of all charges, and suffering the humiliation and stigma of being crooked, these [IT specialists] could not go in the server room unescorted."

After the investigation, an onsite manager was sentenced to a 30-day suspension and demoted from GS-14 supervisory IT specialist to IT specialist at the GS-13 level. The supervisor failed to report that one of her subordinates "was collecting passwords for all servers and other equipment and making 3 copies on a CD-ROM," then Acting Deputy CIO Leslie Hope wrote in an internal memo obtained by Nextgov. She noted that the manager also neglected to report that another staffer planned to provide diagrams of an office local area network to a person not authorized to possess such sensitive information.

In addition, the manager was accused of lying during the investigation. "You falsely stated that you were not aware there was a CD-ROM which contained administrative logins and passwords and that you had never heard of it," Hope wrote.

"Your acceptance of security breaches as common practice violated the DHS Rules of Behavior, DHS Sensitive Systems Handbook and other management directives," she added. "Your failure to accept responsibility for your inactions suggests that you cannot perform your duties and responsibilities in accordance with DHS policies. I have lost trust in your ability to manage an IT department in USCIS."

The supervisor, who continues to work at the agency, was not authorized to speak about the matter.

"Clearly this was a section that had gone off the reservation a long time ago," said one official who worked at USCIS during the investigation. "They gradually rationalized small wrongdoings that led to a complete breakdown of IT controls. . . I think someone took advantage of the breakdown."

Many of the center's specialists lacked the skills and experience necessary to operate and secure the network, several USCIS employees said. The absence of qualified personnel at the Texas Service Center seems to have dated back years. In 2006, an employee attempting to fix an internal server that had stopped working accidentally opened the system to internal and external attacks. "Anyone on the local network had full access to the entire C: drive," a longtime employee said. "Anyone dialing in from the outside could gain access to the server if they knew how to bypass a dial-up login on a [remote access server] -- which shouldn't be too hard to do."

USCIS churned through three chief information officers over five years and the IT shop never gained enough stability to resolve such entrenched challenges, both employees and officials said. In DHS' 2007 annual financial report, then-Secretary Michael Chertoff cited the office of the USCIS CIO as one of a few departmental "material weaknesses."

One specialist implicated in the investigation was ordered by a supervisor to provide a system administration username and password to non-IT personnel that allowed them to download software to government computers, according to former staffers. Federal policy prohibits the unauthorized release of such passwords. The accused employee, who still works for the agency, was not permitted to comment.

The specialist admitted that distributing the codes was "against every security practice that [I] have been trained on," Hope wrote. She signed several of the disciplinary letters related to the investigation. As a result of following the orders, the employee was dealt a three-day suspension for improper conduct. When the employee asked the union for help overturning the charge, the union responded in a letter, obtained by Nextgov, that stated, "Never trust a supervisor." The specialist did not take the case to arbitration.

Nearly three years after the investigation, resentment and suspicion color the IT operations at the facility. Some federal employees said the stain from the probe has hampered their ability to find jobs elsewhere or gain promotions at the Texas Service Center, despite subsequently garnering accolades for stellar performance, in one case.

Federal employees there in 2008 said they believe a new team of IT superiors, which included then-CIO Jeff Conklin, were determined to get rid of the established workforce. By searching through employee emails for wrongdoing, USCIS officials were "stacking charges" to fire the existing staff, said Jerry Armstrong, the father of one of the accused IT specialists. Hope handed his son a 30-day suspension, downgrading an earlier proposal for termination from a division chief, according to a memo. Agency officials declined to make Hope or Conklin, who was reassigned to another DHS unit before the end of the IG investigation, available for comment.

Initially, Armstrong's son was charged with improper conduct based on findings that he, among other things, emailed passwords without protecting the sensitive data, compromised network security by providing system diagrams to an unauthorized individual, failed to report network security violations and did not report missing network equipment. He also sent "racist, defamatory, obscene and/or sexist messages," Hope wrote.

The accused employee, who still works for the agency, could not comment on the matter. The father said his opinions were his alone.

"As soon as I confronted the government with these security violations, they dropped them all," said Armstrong, a former chief patrol agent for the U.S. Border Patrol who said he handled disciplinary actions there. "I'm not saying [my son] was totally innocent of everything. But the mistakes were not near as serious as the government made them out to be." The unprotected passwords were nonsensitive, temporary codes. And the accused employee gave system diagrams to his former supervisor, who had been placed in charge of special projects and was authorized to see the information, the father claimed.

But "[my son] did deserve a disciplinary action, and I'd be the first to tell you that," he added. The son e-mailed sexually explicit messages and arguably racist cartoons. The government ultimately abandoned all charges and replaced them with a 30-day suspension for using inappropriate language in emails. "Since that time, [my son] is back and he's very good at his job," the father said.

The probe started in January 2008 after senior USCIS officials received an email with the subject head "Mad in Texas" that complained about Ken McGowan, who had recently retired from the Army as a sergeant major and was hired as an IT systems engineering specialist at the Texas center. The message, viewed by Nextgov, said McGowan's goal was to eliminate the existing federal staff. Former officials said the content of the message, while unprofessional, did not break any rules, but the manner in which it was transmitted was a federal security no-no. The file properties showed the sender disguised his or her identity using a government computer on the USCIS network on government time to access an external email system. Shortly after the message circulated, USCIS officials requested the IG investigation.

Insider Threat History

USCIS has had its fair share of renegade insiders intent on doctoring immigration records. This spring, Justice officials announced the sentencing of a former agency contractor to five and a half years in jail for manipulating personal data to help illegal immigrants obtain passports. The DHS inspector general earlier this year reported that internal computer fraud could become a greater risk because security requirements for a $2.4 billion project to automate USCIS casework overlooked insider threats.

According to an interview documented in the 2008 IG case, a few federal IT specialists had acquired prohibited permissions for reading other center employees' emails -- domain authorizations dubbed "God rights."

Kevin M Tinker, president of the local union representing the USCIS workers, said his members did not engage in any email intrusions. In fact, he added, they were the victims of unauthorized surveillance.

"My members had been complaining that someone had been hacking into their accounts," Tinker said. Former officials said the hacking was authorized. Internal IT security staff performing a USCIS investigation ordered an examination of some of the employees' computers because there were indications they had been used for unauthorized purposes.

One former specialist, who became unemployed when his temporary federal assignment expired during the investigation, confirmed his colleagues were angry about the way McGowan treated them. The employee noted that IG investigators neglected to question anyone about a climate of fear, intimidation and retaliation that emerged after McGowan arrived.

Conklin tapped McGowan after meeting the veteran at a government-sponsored Hiring Heroes career fair at Fort Sam Houston, Texas, according to Phillip Helslander, an attorney representing McGowan in several employment matters. McGowan, a reservist activated for the Iraq war, became eligible for the special hiring program upon his release from active duty. His prior civilian work experience had included advanced engineering on a type of remote access system that had been creating extreme difficulties for the Texas facility. Under the special program, Conklin had direct authority to hire a veteran to address the problem, so he employed McGowan, Helslander said.

McGowan, who has since been moved to another USCIS position, was not available for comment.

Helslander said McGowan was sent to Texas to correct a situation where federal employees were abdicating their responsibilities. Much of the animosity toward McGowan likely stemmed from employees who were unhappy about now having to actually work, he said. Meanwhile, McGowan was frustrated in his attempts to train the existing staff. The retired sergeant major -- "a no-nonsense individual" -- came in to take charge and expected cooperation, Helslander said.

NEXT STORY: Caution: Malware ahead