Established in 2002, DHS defines its mission as ensuring “a homeland that is safe, secure, and resilient.” A core tenant in this goal is the need to “safeguard and secure cyberspace.”
But according to an investigation initiated by Senator Tom Coburn of the Homeland Security and Governmental Affairs Committee, the department has proven remarkably incompetent in its efforts to maintain cybersecurity, and are “unlikely to protect us.”
Other choice words used to describe the agency include, “lousy” “dysfunctional,” and “ineffective.”
“[DHS] is struggling to execute its responsibilities for cybersecurity, and its strategy and programs are unlikely to protect us from the adversaries that pose the greatest cybersecurity threat.”
“Oops” Moments
One such concern is a strange DHS habit of ignoring its own advice. Once Microsoft stopped issuing security patches for Windows XP, DHS announced a government warning to stop using XP.
But the report found that DHS computers were still operating on XP, even after representatives claimed they had upgraded.
This mirrors other findings in the report which show that the agency failed to perform routine checks to “ensure its classified systems were up-to-date and secure.”
Imagine, if you will, being yelled at by someone behind the Apple Genius Bar for not creating a secure laptop password, only to find out that that same “genius” uses “1234” to access his bank, PayPal, Facebook, and Google Chrome accounts.
The report also notes that DHS consistently failed to follow proper protocol during cyberattack simulations, “which resulted in limited execution of appropriate operational actions.” This may be partially explained by the fact that many of the department’s analysts are severely undertrained, if trained at all.
“The training itself is poorly documented,” the report reads. “It is questionable from DHS’s records whether [training] occurs at all…”
A recent report by the Government Accountability Office also noted that DHS has failed to develop a plan for fending off cyberattacks against federal buildings. Many of these buildings have vulnerable heating, power, ventilation, air conditioning, and elevator systems.
Hacks Across the USA
Homeland Security also has a poor track record of preventing national security breaches, which extends far beyond the recent hacks into Central Command’s social media accounts and infiltration of Sony Pictures.
In 2013, hackers managed to break into the network of the U.S. Army Corps of Engineers. Non-public information about 85,000 dams was downloaded, including data about “the potential fatalities that could be caused by a breach.”
In 2014, Chinese hackers managed to hack into the U.S. Office of Personnel Management and recovered information on employees with “high-level security clearances.”
And, of course, there was the 2014 breach of the White House servers in an alleged Russian-sponsored attack.
Perhaps most embarrassing was a 2013 incident, in which someone – probably unsatisfied with that week’s “Walking Dead” episode – took over the FCC’s Emergency Broadcast System and warned three states of an impending zombie attack.
An Ill-Conceived Plan?
Yet perhaps most troubling of all – and most crucial as it relates to President Obama’s recent push to increase information sharing between the public and private sectors – is DHS’s inept handling of personal data.
“The Inspector General also found that DHS’s operating procedures for handling individuals’ personally identifiable information do not adequately protect that information.” It adds, “…DHS lacks specific instructions for how analysts should handle personally identifiable information, how they should minimize usage of it when it is unnecessary, and how to protect it on a day-to-day basis.”
Given that Obama’s recent push – along with Prime Minister David Cameron – to encourage tech companies to provide user data to both the NSA and allied intelligence agencies abroad relies so heavily on DHS information sharing programs, the report offers little comfort.
Obama’s new legislation relies on DHS’s National Cybersecurity and Communications Integration Center (NCCIC), which acts as a centralized hub through which most federal data is shared. If this hub has serious security issues, then so, too, could the president’s new proposals.
