The Office of Inspector General (OIG) has released its “Evaluation of DHS’ Information Security Program for Fiscal Year 2017” (pdf). In short, the Department of Homeland Security (DHS) is running outdated software, has unpatched critical vulnerabilities — including the flaw to allow WannaCry ransomware — and some workstation security patches haven’t been deployed for years.
When President Trump issued an executive order in May 2017 about strengthening the cybersecurity of federal networks and critical infrastructure, each federal agency was required to use the NIST Cybersecurity Framework to manage cybersecurity risk.
The OIG assigned each agency’s cybersecurity functions with a maturity level: 1) ad-hoc; 2) defined; 3) consistently implemented; 4) managed and measurable; and 5) optimized. If an agency can achieve Level 4 in the majority of those five cybersecurity functions, then its information security program is considered to be “effective overall.”
NIST Cybersecurity Functions are: Identify, Protect, Detect, Respond, and Recover. After conducting an audit, the OIG said, “DHS could protect its information and systems more fully and effectively,” as DHS only hit the targeted Level 4 for Identify and Respond.
Yet even with scoring a Level 4 for Identify, “64 systems lacked valid authority to operate, and components did not remediate security weaknesses timely.”
Protect, Detect, Recover = Fail
The Protect function means appropriate safeguards to ensure delivery of critical infrastructure services have been developed and implemented. The OIG found DHS fell short in the Protect department, saying it “did not implement all configuration settings required to protect component systems, continued using unsupported operating systems, and did not apply security patches timely to mitigate critical and high-risk security vulnerabilities on selected systems.”
Specific Protect-fail examples included a DHS Headquarters system, a Coast Guard system, and a Secret Service system still using an unsupported version of Windows 2003 servers. (Microsoft stopped supporting and releasing security updates in July 2015 for those servers.)
Additionally, the OIG detected critical and high-risk vulnerabilities due to missing patches on Windows 2008 and 2012 systems; some of the security updates had rolled out in July 2013. Some other DHS components had not deployed critical patches that were released in July 2016.
The OIG also found several Windows 7 and 8.1 workstations had not been patched to protect against WannaCry ransomware. Other missing patches were for internet browsers, Flash Player, Adobe Shockwave, and Adobe Acrobat. Vulnerability assessment testing examples included 12 unique, high vulnerabilities and four critical flaws on DHS Headquarters Windows 7 workstations, and five critical bugs on DHS Headquarters Windows 8.1 workstations.
NIST’s Detect function means “developing and implementing the appropriate activities to identify the occurrence of a cybersecurity event.” However, the OIG found that DHS fell short of Level 4 because it had not maintained software licenses for unclassified systems and had relied on “data calls to monitor national security systems as part of its continuous monitoring process to detect potential incidents.”
DHS also failed to reach Level 4 regarding NIST’s Recover function, which “entails developing and implementing plans for resiliency and restoration of any capabilities or services impaired due to a cybersecurity event.”
OIG’s conclusion after evaluating Homeland Security’s IT systems
The OIG concluded:
Specifically, since the Department’s inception in 2003, components have not effectively managed and secured their information systems. Components have continued to operate systems without ATOs, used unsupported operating systems that expose DHS data to unnecessary risks, ineffectively managed the POA&M process to mitigate identified security weaknesses, and failed to apply security patches timely. Such repeated deficiencies are contrary to the President’s Cybersecurity Executive Order and clear indicators that departmental oversight of the enterprise-wide information security program needs to be strengthened. Until DHS overcomes challenges to addressing its systemic information security weaknesses, it will remain unable to ensure that its information systems adequately protect the sensitive data they store and process.
The OIG gave five recommendations that the DHS chief information security officer agreed to complete no later than Sept. 20, 2018.
Talented security experts needed, but security skills of DHS employees unknown
It is interesting to note that DHS, the agency in charge of protecting U.S. cybersecurity, claims to need qualified security experts but doesn’t know the skills of those already employed by DHS.
The OIG noted that DHS “has not assessed the knowledge, skills, and abilities of its cyber workforce. Lacking such an assessment, DHS cannot assure that its employees possess the knowledge and skills necessary to perform their various job functions, or that qualified personnel are hired to fill cybersecurity-related positions.”
Yet DHS told the OIG that “a lack of qualified security engineers from the overall labor market” was “the foremost reason for components failing to meet its SA metric.” That failing may stay the status quo until “cybersecurity becomes a common skill-set across the Nation.”