Homeland Security's own IT security is a hot mess, watchdog finds

An inspector general audit found dozens of systems across the agency's networks were running old and outdated software, and in some cases, computers hadn't received security patches for five years.
Written by Zack Whittaker, Contributor

(Image: File photo)

A government watchdog found that Homeland Security, the federal department in charge of protecting the nation's cybersecurity, had a litany of security problems of it own.

A newly released report by the department's Office of Inspector General found many of the agency's systems, including both unclassified and national security systems containing the highest "top secret" information, were running outdated, unsupported operating systems that in some cases hadn't been patched with security updates for years.

Some of the vulnerabilities were so serious that they "expose DHS data to unnecessary risks," said the investigators, and that the agency needed to protect its systems "more fully and effectively."

According to the report, 64 vulnerable systems on the department's network lacked the authority to operate -- more than a dozen of which were national security systems storing highly sensitive classified information.

That fell short of the department's target to maintain all of its high-value systems with the correct security updates, patches, and approved configurations to prevent data leaks or breaches.

That included three servers -- one at Homeland Security headquarters, and two others run by the Coast Guard and the Secret Service -- which were still running Windows Server 2003. None of the servers had received security patches since July 2015, when Microsoft stopped supporting the operating system.

Not only that, vulnerability assessments on several computers running more recent, supported versions of Windows found as many as five critical vulnerabilities that hadn't been patched. That included two systems that were missing patches dating back to July 2013, and other systems that hadn't been patched against WannaCry, a notorious ransomware that infected tens of thousands of computers in a cyberattack last year.

Only a year earlier, Homeland Security's cyber-alert team warned of dangerous consequences when using software that would no longer receive patches.

The report wouldn't say which of Homeland Security's child agencies operated the vulnerable classified systems, but it said that FEMA, the federal emergency response agency, had 15 unclassified systems that lost their authority to operate. Homeland Security's own headquarters had the second-most number of vulnerable unclassified systems -- a total of seven -- on its network.

The inspector general's investigation was launched after a cybersecurity executive order, signed by President Donald Trump last May, mandated federal agencies to audit their systems for vulnerabilities.

Homeland Security, which has a mission in part is to protect the US from cybersecurity threats, was not exempt from the order.

It was during this period that the agency's chief information officer resigned just three months after taking the position. No reason was given for his departure.

A spokesperson for Homeland Security did not respond to a request for comment, but the agency said in the report that it concurred with the inspector general's findings and pledged to resolve any outstanding issues by late September.

Editorial standards