In a General Accounting Office report just released, the GAO found that the Department of Homeland Defense had not implemented a security program to protect its information systems and the sensitive information it gathers.
Indeed, from the litany of undones and incompletes the report lists, it would seem that one of the most important bulwarks in our country’s vaunted war on terrorism is subject to hacking from virtually any kid with an IBM and a grudge:
DHS has not fully implemented a comprehensive, departmentwide information security program to protect the information and information systems that support its operations and assets. It has developed and documented departmental policies and procedures that could provide a framework for implementing such a program; however, certain departmental components have not yet fully implemented key information security practices and controls. For example, risk assessments—needed to determine what controls are necessary and what level of resources should be expended on them—were incomplete. Elements required for information system security plans—which would provide a full understanding of existing and planned information security requirements—were missing. Testing and evaluation of security controls—which are needed to determine the effectiveness of information security policies and procedures—were incomplete or not performed. Elements required for remedial action plans— which would identify the resources needed to correct or mitigate known information security weaknesses—were missing, as were elements required for continuity of operations plans to restore critical systems in case of unexpected events.
Let’s see, that includes the United States Visitor and Immigrant Status Technology, or US-VISIT, which is supposed to identify and stop terrorists at our borders; Immigration and Customs Enforcement, or ICE; the Transportation Security Administration — you know, the guys with the wands at the airport; and Emergency Preparedness and Response.
Sounds like the department should be renamed Homeland INSECURITY.
The Homeland Security Act of 2002 (Pub. L. No. 107-296) effectively merged the operations of 22 federal agencies whose activities were related in some way to homeland security, and went into effect in 2003. Here, two years later, we find that the agency’s security system has more holes in it than an unarmored Humvee in Baghdad.
The GAO notes that the federal gubmint is facing increasing threats from “hackers, viruses and others who seek to disrupt federal operations or obtain sensitive information that is stored in federal computers.”
It seems that the enterprisewide tool that DHS relies on for security, which goes by the (and I’m not making this up) ironic name of Trusted Agent FISMA, has been, in the understated words of GAO “unreliable.” To wit, and this will make sense to you IT folk out there, the system is unreliable because:
- data are not comprehensively verified
- there is no audit trail capability
- material weaknesses are not consistently reported or linked to plans of action or milestones
- plans of action and milestones that have been identified and documented are not current
Not since 1947, when the government formed the Department of Defense, has so massive a reorganization of federal agencies taken place, involving 22 agencies and some 209,000 people. And yet, it sounds as though the DHS’s computer system is less safe than yours or mine.
According to the GAO, DHS’s mission is to “prevent and deter terrorrist attacks within the United States, reduce the vulnerability of the United States to terrorism, and to minimize the damage and assist in recovery from terrorist attacks that do occur.” The GAO notes that this is an “exceedingly complex mission,” but it also notes that the agency has $28.9 billion in allocations to do the job.
Perhaps DHS should start putting its security system in order by firing Trusted Agent FISMA and buying Norton Utilities for $49.95. Then it could use the rest of the $28 billion to really start protecting Americans.