For now, the US Secret Service has no reasonable assurance that its information systems are properly secured to protect Law Enforcement Sensitive case management information.
That was but one of the conclusions laid at the feet of the US Secret Service today by the Department of Homeland Security’s Inspector General, John Roth in a scathing report on the agency tasked with protecting the President and other important government officials.
+More on Network World: Federal cyber incidents grew an astounding 1,300% between 2006 and 2015+
Further from the report: “US Secret Service systems and data remain vulnerable to unauthorized access and disclosure. As discussed, contributing factors included inadequate system security plans, systems with expired authorities to operate, inadequate access and audit controls, noncompliance with logical access requirements, inadequate privacy protections, and over-retention of records. Such deficiencies increase risks to the confidentiality, integrity, and availability of mission- critical information systems and data.”
“Today’s report reveals unacceptable vulnerabilities in Secret Service’s systems,” concluded Inspector General Roth.
The investigation and audit of the Secret Service’s IT system security came as a result of a security breach – namely the 2015 release of personal information about U.S. Congressman Jason Chaffetz which lead to an investigation that found improper access by Secret Service employees.
The potential for incidents similar to the Congressman Chaffetz breach of March 2015 remain, the report stated. Insider threats present within the organization may be able to: steal, alter, or destroy mission critical data; export malicious code to other systems; install covert backdoors that would permit unauthorized access to data or network resources; or impact the availability of any information system’s resources or networks.
+More on Network World: What is on a US Secret Service mainframe anyway?
“Any loss, theft, corruption, destruction, or unavailability of Law Enforcement Sensitive data or PII could have grave adverse effects on the USSS’ ability to protect employees or the general public,” the report stated.
The Secret Service’ primary mission is protecting the President, other dignitaries, and events, and investigating financial and cybercrimes to help preserve the integrity of the Nation’s economy. This statutory responsibility leaves little, if any, room for error. As such, the systems and information supporting this mission must be managed in an efficient and secure manner, the report stated.
IG Roth concluded that Secret Service’s IT management was ineffective because the “Secret Service has historically not given it priority. The Secret Service CIO’s Office lacked authority, inadequate attention was given to updating IT policies, and Secret Service personnel were not given adequate training regarding IT security and privacy.
+More on Network World: Feds' primary network security weapon needs more bang+
“[The Secret Service] has much work to do to make IT a priority. This requires establishing and implementing an IT governance framework that addresses, at a minimum, the IT organizational and management deficiencies identified in this report. It also requires that USSS leadership fully understand and address the potential for insider risks, not only from system administrators and inadequately managed IT contractors, but also from employees and business partners.
The report concluded that the new Secret Service CIO was aware of the severity of these issues and had begun formulating a strategic plan, including corrective actions plans to address long-standing IT deficiencies.
Check out these other hot stories: