The U.S. Secret Service received poor marks after a cybersecurity audit by the Office of Inspector General. The...
investigative report blamed the security issues on a lack of proper oversight and because the Secret Service traditionally has not prioritized cybersecurity.
The inspector general (IG) performed the cybersecurity audit after the Secret Service improperly accessed and disclosed information about Rep. Jason Chaffetz (R-Utah), chairman of the House Committee on Oversight and Government Reform, which monitors U.S. Secret Service (USSS) operations.
A number of weaknesses were found, including inadequate system security plans (SSP), systems with expired authorities to operate, inadequate access and audit controls, noncompliance with logical access requirements, inadequate privacy protections and over-retention of records.
"These problems occurred because USSS has not consistently made IT management a priority. The USSS CIO lacked authority for all IT resources and was not effectively positioned to provide necessary oversight," the report read. "Inadequate attention was given to updating USSS IT policies to reflect processes currently in place. High turnover and vacancies within the Office of the CIO meant a lack of leadership to ensure IT systems were properly managed. In addition, USSS personnel were not adequately trained to successfully perform their duties."
Bobby Kuzma, systems engineer at Core Security Corp., based in Roswell, Ga., said it was "absolutely not" surprising that another government agency was found to have poor cybersecurity.
"There is a huge institutional and cultural problem in many organizations, and not just within the government," Kuzma told SearchSecurity. "There are huge amounts of staff turnover combined with poor prioritization and lack of support from upper management leading to this scenario, as the report reveals."
Rebecca Herold, CEO of Privacy Professor, said she knew people trying to implement strong security in government agencies are not always getting the necessary resources.
"They often get little budget, no authority or support, and plenty of blame when bad things happen," Herold told SearchSecurity. "Congress typically cuts information security budgets; opposes strong security controls, such as encryption; does not give CISOs and [chief privacy officers] CPOs appropriate authority; and then they are the first to blame and shame when security incidents and privacy breaches occur."
According to the cybersecurity audit report, the USSS has little room for error in its primary mission of "protecting the president, other dignitaries and events, and investigating financial [crimes] and cybercrimes to help preserve the integrity of the nation's economy."
"USSS has much work to do to make IT a priority. This requires establishing and implementing an IT governance framework that addresses, at a minimum, the IT organizational and management deficiencies identified in this report," the report read. "It also requires that USSS leadership fully understand and address the potential for insider risks, not only from system administrators and inadequately managed IT contractors, but also from employees and business partners."
The IG report noted cybersecurity documentation for the USSS was often incomplete and the SSP was even missing in one case, leading to confusion as to how responsibilities were allocated and who was performing what functions.
"Without these key SSP items in place, USSS had no reasonable assurance that mission-critical case management and investigative information was properly maintained and protected. In addition, those relying on the system to protect their identities or [personally identifiable information] could have no assurance of proper data maintenance or protection against unauthorized disclosure, access or theft," the report read. "Without complete and accurate documentation, authorizing officials lack information necessary to make credible risk-based decisions that the protections assigned to each information system were adequate and effective."
Kuzma said the lack of training stems from a flawed organizational culture and misplaced priorities.
The key findings of the audit showed the USSS policies and procedures were a decade out of date, Kuzma said, and he attributed the lack of training to human resource requirements.
"All employees must hold a top-secret clearance, which there is a huge backlog on," Kuzma said. "They then have to utilize contractors to fill these roles who are unaware of the special requirements by both federal laws and DHS [Department of Homeland Security] policies."
The cybersecurity audit also found USSS access controls were outdated and did not address the principle of least privilege. In addition, audit controls were not fully implemented, information systems were not compliant with privacy protection requirements, privacy documentation was incomplete, records were held longer than necessary and there was no full-time CPO.
"Fifty percent of the USSS privacy officer's duties related to Freedom of Information Act requirements. Thus, the privacy officer was not available full time to monitor USSS compliance with all federal privacy laws and regulations; implement corrective, remedial and preventative actions to ensure privacy protections; draft privacy documents; and carry out other privacy-related responsibilities," the report read. "The lack of a full-time, dedicated USSS privacy officer reporting directly to the USSS director increased the likelihood that privacy requirements would continue to not be fully addressed."
Herold said assigning a privacy officer for the USSS was only half the battle.
"What is needed to enable cybersecurity staff to be effective is to give a position, such as information security officer and/or privacy officer, true authority to implement security and privacy policies and procedures that they can then enforce," Herold said. "Over the course of my entire career, I've seen that information security and privacy officers who have no or insufficient authority will consistently fail. When people ignore your policies because you have no authority, security and privacy risks expand and breaches occur."
The IG admitted in the report that starting in 2006, the USSS CIO "no longer had oversight and authority over USSS agencywide IT," when that authority was given to the Information Resources Management Division. The USSS has also seen quite a lot of turnover in the CIO, as well as with the CISO and information system security manager positions.
All of this means the "USSS systems and data remain vulnerable to unauthorized access and disclosure," according to the report, and "insider threats present within the organization may be able to steal, alter or destroy mission-critical data; export malicious code to other systems; install covert backdoors that would permit unauthorized access to data or network resources; or impact the availability of any information system's resources or networks."
Herold said, "Every government agency that collects, handles, stores or otherwise has access to a lot of personal data, along with other sensitive information, has heightened insider-threat risk. And so, [it] needs to put more attention to ensure personnel are training, monitored appropriately and have ongoing background checks for the positions with access to large amounts of data."
Learn more about what was reported in the internal cybersecurity audit of the DHS.