Secret Service IT management slammed following Chaffetz breach
By Joe Davidson
Now that the votes are in and the presidential campaign is done, the Secret Service can close an incredibly busy election season.
Perhaps it can turn some of that energy to protecting its computer systems, which suffer from neglect, ignorance and bad management, according to a watchdog’s report.
The report by the Office of Inspector General (OIG) at the Department of Homeland Security is related to the agency’s breach and leak of personal information belonging to Rep. Jason Chaffetz (R-Utah) last year. That was another in a string of embarrassments for a law enforcement agency that has had such a proud tradition.
A 2015 OIG investigation found that 45 employees got into Chaffetz’s 2003 Secret Service job application. Only four had a legitimate need, leaving the rest in violation of the Privacy Act and agency policies. The file snooping began minutes after Chaffetz, chairman of the House Oversight and Government Reform Committee, opened a hearing into allegations of agents’ misconduct.
Chaffetz said the current report, issued last month, shows that “despite past warnings, USSS [U.S. Secret Service] is still unable to assure us their IT systems are safe.” In a letter to Inspector General John Roth, Chaffetz also said the discipline for some agents in his case “is not adequate to deter similar behavior in the future” and asked Roth to continue his investigation.
The October report goes well beyond the Chaffetz case and dissects the agency’s information technology operation in scathing particulars.
Summing up the report, the inspector general’s office offered this mouthful: The “audit uncovers a myriad of problems with Secret Service’s IT management including inadequate system security plans, systems with expired authorities to operate, inadequate access and audit controls, noncompliance with logical access requirements, inadequate privacy protections, and over-retention of records. The OIG concluded that Secret Service’s IT management was ineffective because Secret Service has historically not given it priority. The Secret Service CIO’s [Chief Information Officer] Office lacked authority, inadequate attention was given to updating IT policies, and Secret Service personnel were not given adequate training regarding IT security and privacy.”
The Secret Service agreed with the report’s 11 recommendations, even though officials believe it does not reflect the agency’s recent IT progress. In a memorandum responding to the report, Secret Service Director Joseph P. Clancy noted last year’s hiring of retired Marine Brig. Gen. Kevin Nally as CIO and “the sweeping and unprecedented improvements” under his leadership.
“While more work remains to be done,” Clancy said that “the Secret Service has made considerable improvements in a remarkably short period of time. . . . We take the motto of being ‘worthy of trust and confidence’ very seriously in all areas in which we operate.”
Here are some points from the report:
- Inadequate and ineffective system security: Security plans were “inaccurate, incomplete, or in one case, non-existent.” Many plans “were missing key items.” Some plans “incorrectly listed system security personnel in positions they no longer held, making it unclear as to who to contact in case of an incident.”
- Outdated access controls: Secret Service access control policies were last updated 16 years ago, more than a lifetime in the digital era. “As such, it was not clear who should have access to the sensitive information retained on the USSS systems.” Once users gained access to the Master Central Index mainframe system, they could get into all system data, whether they needed it or not. Inactive accounts were not promptly disabled.
- Poor audit controls: This hindered the ability to detect unusual activity or respond to security risks and attacks.
- Lack of privacy protections: “Privacy documentation was incomplete, not up to date, or missing.” The inspector general requested system security plans for five systems. “Only four were provided,” and each was incomplete. Information System Security Officers “indicated they were unaware of the requirements for documenting privacy controls.”
- Missing leadership: The Secret Service did not have a designated, full-time privacy officer reporting directly to the agency director as the Department of Homeland Security required, increasing “the likelihood that privacy requirements would continue to not be fully addressed.”
- Over-retention of records: This violates the Privacy Act and relates directly to Chaffetz’s file, which was viewed when it was 12 years old. “[I]t was not reasonable to maintain this information for more than 10 years after Congressman Chaffetz submitted his application, and therefore, the continued retention of his records violated the Privacy Act.”
- Low priority: The OIG found some “key guidance” related to IT management dated to 1992, “reflecting that IT was not a priority.” Key IT openings were left vacant for months. At one point, the agency’s CIO office’s vacancy rate was 29 percent. Hundreds of employees lacked adequate IT training, leaving them not fully aware of their “responsibilities in properly safeguarding mission critical data.”
Roth recognized agency IT improvements in a statement with the report, but added that until they and the recommendations are fully implemented “the potential for another incident like that involving Chairman Chaffetz’ personal information remains.”