6 agencies under DHS rule still using Windows XP: IG finds DHS cybersecurity holes

The Office of Inspector General report found a plethora of DHS cybersecurity problems, including using XP, failing to patch and operating systems that it no longer has the authority to operate.

The Department of Homeland Security, which is ultimately the agency responsible for battening down the hatches on U.S. cybersecurity and critical infrastructure, cannot batten down its own cybersecurity hatches, as was illustrated by six of 22 agencies under the DHS umbrella that are still using Windows XP.

The recently released Office of Inspector General report [pdf] found that U.S. Customs and Border Protection (CBP), Federal Law Enforcement Training Center (FLETC), Department of Homeland Security (DHS), Office of Inspector General (OIG), Transportation Security Administration (TSA) and United States Citizenship and Immigration Services (USCIS) "are still using the Windows XP operating system which may lead to potential security risks as Microsoft will stop providing support to include service packs and updates to mitigate potential security vulnerabilities in 2014."

"This report shows major gaps in DHS's own cybersecurity, including some of the most basic protections that would be obvious to any 13-year-old with a laptop," said Senator Tom Coburn, who is on the Senate Homeland Security and Governmental Affairs Committee. "DHS doesn't use strong authentication. It relies on antiquated software that's full of holes. Its components don't report security incidents when they should. They don't keep track of weaknesses when they're found, and they don't fix them in time to make a difference."

Sen. Coburn added:

The fact is the federal government's classified and unclassified networks are dangerously insecure, putting at risk not only U.S. national security, but the nation's critical infrastructure and vast amounts of our citizens' personally identifiable information.

"We spend billions of taxpayer dollars on federal information technology every year. It is inexcusable to put the safety and security of our nation and its citizens at risk in this manner."

Ten years after the agency was formed, one expert after another testified that DHS is "still plagued with cybersecurity and critical infrastructure problems." Then the President's Council of Advisors on Science and Technology released a report [pdf] stating, "The federal government rarely follows accepted best practices," the report stated. "It needs to lead by example and accelerate its efforts to make routine cyberattacks more difficult by implementing best practices for its own systems." Although the IG's report is not all bad, it does seem to echo those same failings.

For example, DHS is operating 47 systems that it no longer has the authority to operate (ATO); 13 of those have been "operating without ATO for more than a year." There are also 17 classified "Secret" systems operating with an expired ATO. "As of May 2013, the Department has not performed any quality reviews on the security authorization artifacts to ensure the required security controls are implemented for the Department's 'Top Secret' systems." The IG reported, "Without a renewed and valid ATO, DHS cannot be assured that effective controls have been implemented to protect the sensitive information stored and processed by these systems."

The IG repeatedly mentioned problems with DHS' Plan of Action and Milestones (POA&M). There are 3,412 open POA&Ms, 496 were delayed by at least three months; 160 more have an estimated completion data of more than one year; and 338 more "open POA&Ms are scheduled to take more than two years to remediate." Although POA&M data is supposed to be monitored and updated on a monthly basis, 1,267 had not been updated for 90 days and 328 had not been updated for a year. Another 89 open POA&Ms, which are classified as 'Secret,' had not been updated for 90 days.

In May, DHS had 662 information systems that are reported as "operational," including those that are classified as "Sensitive But Unclassified," "Secret," and "Top Secret."

Yet according to the IG report, there are a plethora of problems that need to be addressed. These include configuring laptops to required DHS and United States Government Configuration Baseline (USGCB) settings to do away with deficiencies related to Telnet, IPv6 routing protection and TCP settings. National Protection and Programs Directorate (NPPD) "had not configured the CyberScope database with all required DHS baseline configuration settings," so the IG "identified three instances of non-compliance."

Furthermore, six DHS agencies (CBP, FEMA, FLETC, ICE, NPPD, and TSA) received pitiful scores below 65% for configuration management and four (CBP, FEMA, ICE, and NPPD) received pathetic patch management scores of below 65%.

It's little wonder why some people balk at the idea of DHS leading the effort to update the National Infrastructure Protection Plan (NIPP). Although the U.S. definitely needs to protect "water, electrical, telecommunication, financial and other critical infrastructure," Homeland Security and all its components need to get their own cybersecurity house in order before commanding the private sector to do the same.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2013 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline