Report: The DHS is a mess of cybersecurity incompetence

A large, embarrassing, and alarming Federal oversight report finds major problems and grave shortcomings with Department of Homeland Security cybersecurity programs and practices which are "unlikely to protect us".
Written by Violet Blue, Contributor
DHS cybersecurity failure
Assessing DHS performance 12 years after its creation, a new Federal report called "A Review of the Department of Homeland Security's Missions and Performance" contains a blistering summary on the state of DHS cybersecurity practices and programs.

The January 1 report reveals and concludes that DHS's cybersecurity practices and programs are so bad, the DHS fails at even the basics of computer security and is "unlikely" able to protect both citizens and government from attacks.

The report's section on cybersecurity is all bad news -- especially for fans of Obama's planned legislative cyberattack protections.

Spearheaded by (now-resigned) Senator Tom Coburn, a member of the Senate Homeland Security and Governmental Affairs Committee since 2005, the report "is a comprehensive overview of oversight conducted over the past decade to measure how well DHS is achieving its mission (...) based upon independent information and evidence as well as oversight conducted by my office and other watchdogs."

"Missions and Performance" spells out critical problems that will likely make the Obama administration's current round of cyber-posturing look meaningless in the face of its own cybersecurity incompetence.

DHS cybersecurity programs "unlikely to protect us"

The report cautions about DHS's limited strategies, noting: "While patch management and cyber hygiene are clearly important, they are only basic security precautions, and are unlikely to stop a determined adversary, such as a nation state seeking to penetrate federal networks to steal sensitive information."

The section on cybersecurity is titled: "The Department of Homeland Security is struggling to execute its responsibilities for cybersecurity, and its strategy and programs are unlikely to protect us from the adversaries that pose the greatest cybersecurity threat."

One example in that section shows DHS departments effectively lying about performing critical and well-known security updates -- updates that DHS warned the public about via US-CERT.

An alarming example of DHS's poor cybersecurity practices and failure to practice what the Department preaches came earlier this year during the countdown to Microsoft's April 2014 end-date for providing security patches and updates for its Windows XP software in April 2014, which had been originally announced in April 2012.

DHS's own US-CERT (which issues cybersecurity warnings to government and private sector partners) issued a warning in March alerting its subscribers of the danger of running Windows XP after April.

But as of November 2013, the Inspector General was warning that several of DHS's own components were still operating Windows XP.

The Committee learned that the Department was continuing to run computers with the vulnerable software after Microsoft stopped providing updates, and after the Department's representatives had said it was no longer using the operating system.

Obama's cyberattack plans based on programs producing "little value"

The President's new cybersecurity initiatives specifically name DHS intelligence and information sharing programs -- yet the damning "Missions and Performance" report states "DHS's Intelligence and Information Sharing Programs Provide Little Value".

Obama's upcoming cybersecurity legislature leans heavily on DHS's National Cybersecurity and Communications Integration Center (NCCIC).

For those not in the know, the NCCIC "operates as a physical space and center to coordinate monitoring of cybersecurity and communications across civilian federal networks and critical infrastructure. It is home to many of DHS's cybersecurity programs, including the United States Computer Emergency Readiness Team and the National Cybersecurity Protection System."

The report said, "While the NCCIC had made some improvements, the Inspector General found that DHS and the NCCIC struggled with 'sharing cyber information among the Federal cyber operations centers.'"

The Inspector General also reported that DHS's analysts at the NCCIC did not follow protocols during a recent cybersecurity incident simulation, including that "playbooks were underutilized," "which resulted in limited execution of appropriate operational actions."

The Inspector General also found that the National Protection and Programs Directorate had an outdated continuity of operations (COOP) plan, which may hinder its ability to "restore its mission-essential functions in the event of an emergency," when the NCCIC's information sharing services may be needed most.

The report says the DHS is "lousy" at cybersecurity, and stresses that the DHS is a "dysfunctional culture" -- one outlined especially in an ominous section on DHS corruption -- and details misspent and wasted money, cybersecurity disasters, and a nation protected by largely untrained government contractors.

"Widespread weaknesses in the federal government's information security practices represent a significant vulnerability that could be exploited by adversaries, creating a potential threat to national security and American citizens."

The section "DHS's Struggles with its Own Information Security" isn't reassuring.

The DHS just isn't a fan of infosec practices, it seems. "Repeated audits by the Inspector General have found that the Department's own offices and employees do not always comply with federal rules and policies for agency cybersecurity."

After Snowden, one might think that classified systems had become the highest of DHS cyber-priorities. But in the report, under DHS stewardship this is simply not the case. "In 2013, the Inspector General found that DHS was even failing to conduct basic security reviews to ensure that its classified systems were up-to-date and secure."

The Department doesn't effectively track security weaknesses it knows about, and doesn't fix them in time, sometimes taking years.

DHS components are lousy at reporting security incidents when they happen. Many of the problems identified by the Inspector General have been cited in prior years' audits, and in some cases the IG's recommendations have been open for several years.

(...) In one instance, the Inspector General reports that the Secret Service did not provide the Department's management with data required by OMB to evaluate the components' compliance; which represents a "significant deficiency" and hinders the Department's ability to monitor employees' compliance with information security rules.

No one knows if the analysts handing your personal information are actually trained

American citizens are as cyber-protected by the DHS as the government's own classified systems. "the Inspector General's recent audits of DHS's information security program identified widespread problems, including that patches were missing on several components' systems, including TSA's server containing biometric data on two million Americans."

What's worse,

The Inspector General also found that DHS's operating procedures for handling individuals' personally identifiable information do not adequately protect that information.

Specifically, the report concluded that DHS lacks specific instructions for how analysts should handle personally identifiable information, how they should minimize usage of it when it is unnecessary, and how to protect it on a day-to-day basis.

Perhaps more troubling, DHS officials revealed to the Inspector General that the Privacy Impact Assessment DHS completed on the program overstates the training their analysts received in protecting individuals' privacy.

The training itself is poorly documented. It is questionable from DHS's records whether it occurs at all and the Inspector General found that even if it did, those analysts might be unable to differentiate personally identifiable information from less- or non-sensitive data.

Yet, they could be exposed to personal data on literally every American citizen as taxpayers submit their tax returns to the IRS, retirees receive their social security checks, and soldiers and veterans receive their salaries and retirement benefits.

The report says (and echoes the sentiments of many civilian infosec professionals) that the DHS approach on vuln mitigation is nothing but a losing strategy. "The nature of cybersecurity threats -- and the ability of adversaries to continuously develop new tools to defeat network defenses -- means that DHS's strategy for cybersecurity, which focuses primarily on vulnerability mitigation, will not protect the nation from the most sophisticated attacks and cybersecurity threats."

The report advises,

For cybersecurity, DHS's first job should be to set an example by becoming a model of effective cybersecurity and assisting OMB [DHS Office of Management and Budget] with its oversight of civilian agency information security.

For its other cybersecurity programs, DHS should reconsider its current strategy, which focuses largely on vulnerability mitigation and which will likely prove ineffective in preventing the most serious cyber security threats.

Report: US-CERT: Yesterday's news, next week

According to the report, the lifetime performance of US-CERT raises "questions about the usefulness of DHS's effort to provide technical assistance and leadership for private sector critical infrastructure owners and operators to address potential cybersecurity threats."

One concern about US-CERT's performance is that it does not always provide information nearly as quickly as alternative private sector threat analysis companies.

For example, in March of this year, US-CERT issued an advisory that Google had released a critical update to its popular internet browser, Google Chrome.

But the advisory came days after Google announced it, and countless other private sector sources had already covered it -- from popular news sites to small personal blogs.

The vulnerabilities fixed in the March 14 patch were critical security flaws publicly revealed in hacking competitions during the weekend between when Google issued the patch and US-CERT announced it.

Thus, those who relied on US-CERT to learn when to patch their browsers may have been exposed to hackers over the weekend.

DHS probably totally meant to deploy NCPS

DHS's National Cybersecurity Protection System (NCPS) acts as an intrusion detection, analysis, information sharing, and intrusion prevention system for civilian federal networks; identifying suspicious traffic through analysis and comparison with signatures of known threats.

DHS achieves these four objectives in NCPS through three iterations of DHS's EINSTEIN software systems and threat analysis by cybersecurity experts at US-CERT. (...) However, none of the three versions of EINSTEIN has been deployed across all civilian federal networks.

That's probably not a big deal because the report tells us NCPS only protects against some things it already knows about, and is totally foiled by encryption anyway.

The report suggests DHS rethink its priorities in a big way: "Recognizing the limits of vulnerability mitigation -- and that the idea of a cyber shield securing our networks is a dangerous illusion -- and the understood benefit of deterring adversaries, Congress and the Department should fundamentally rethink DHS's strategy for safeguarding and securing cyberspace."

Plus, zero days = free for all.

One of the key concerns about NCPS is that it relies heavily on signature-based detection -- it operates by scanning traffic to and from federal networks for the fingerprints of known threats and vulnerabilities.

Such systems can only protect against known threats, with the same fingerprints, and on traffic NCPS can see.

So, for example, NCPS cannot protect against hackers that encrypt their traffic, because NCPS cannot decrypt that traffic to peer into it and look for bad actors and malware.

Further NCPS cannot detect hackers if their software uses a vulnerability that has not been publicly revealed and DHS is not otherwise aware of -- so called "zero days" (referring to the number of days a vulnerability has been publicly known) -- or vulnerabilities that are too old to be included.

Finally, NCPS can only detect known fingerprints -- malware that changes its signatures can be effectively impossible to detect by signature-based intrusion detection like NCPS.

The report found that along with unimplemented programs, employees ignoring security protocol and updates, and incompetent response drill teams, the DHS is wasting tons of money on cyberprograms.

It explains, "DHS currently operates extensive programs across several of its components and directorates focusing on cybersecurity, including programs within the National Protection and Programs Directorate ($696 million annually) and the U.S. Secret Service ($9.8 million annually), and ICE's Homeland Security Investigations component."

To that, the report reveals, "DHS is paying program administration costs for Continuous Diagnostics & Mitigation/General Services Administration contracts worth billions that, thus far, most of the rest of the federal government does not want to use."

"The DHS National Security Breach database has been breached. Please try again later."

The "Missions and Performance" report details a legacy of Federal breaches and nation-state attacks, which isn't reassuring under our current circumstances.

For example, in 2013, hackers gained access to U.S. Army Corps of Engineers network, and downloaded a non-public database of information about 85,000 dams, including sensitive security information and the potential fatalities that could be caused by a breach.

The Nuclear Regulatory Commission (NRC) stored sensitive cybersecurity details for nuclear plants on an unprotected shared drive, making them more vulnerable to theft.

In February 2013, hackers even breached the Federal Communications Commission's Emergency Broadcast System to broadcast warnings in Michigan, Montana, and North Dakota about a zombie attack.

Further, earlier this year [2014], the Administration discovered that Chinese hackers had breached the U.S. Office of Personnel Management and one of its key security clearance investigation contractors.

The data targeted in both cases reportedly included information on federal employees with high-level security clearances.

Then, in October [2014], the White House revealed that hackers had breached its unclassified network, in an apparently state-sponsored attack.

It remains unclear what information the Russian hackers stole from the White House network.

With this information, we're left wondering why the Sony breach and U.S. government threats toward North Korea are the catalyst for new legislation, rather than those two previous state-sponsored cyberattacks on our own government by other countries.

In fact, we're left wondering a lot of very scary things.

Let's hope the White House and its flailing DHS can to show us it is able to get its own cybersecurity house in order before beginning another 12 years of ineffective, inefficient, and terrifyingly incompetent cybersecurity theatre.

Editorial standards