IG: Secret Service's IT Has 'Unacceptable Vulnerabilities'Rep. Chaffetz, Victim of a Secret Service Insider Breach, Describes IG Audit as 'Alarming'
"Unacceptable vulnerabilities" exist in the U.S. Secret Service's information technology, leaving systems susceptible to potential unauthorized employee access, the Department of Homeland Security inspector general says.
An IG audit uncovered numerous problems with Secret Service's IT management, including inadequate system security plans; systems with expired authorities to operate; inadequate access and audit controls; noncompliance with logical access requirements; inadequate privacy protections; and over-retention of records.
The IG contends that Secret Service's IT management is ineffective because it has historically not given it priority. According to the audit, the Secret Service CIO's office lacks authority for all IT resources and is not effectively positioned to provide necessary oversight. In addition, agency gives inadequate attention to updating IT policies and Secret Service personnel are not receiving adequate training regarding IT security and privacy. The IG made 11 recommendations, and the Secret Service agreed to take the recommended corrective actions.
The investigative report, made public Oct. 14, follows an earlier IG audit into Secret Service employees improperly accessing and disclosing information about Rep. Jason Chaffetz, the Utah Republican who chairs the House Oversight and Government Reform Committee, which monitors Secret Service operations.
Insider Breach Remains Possible
"Today's report reveals unacceptable vulnerabilities in Secret Service's systems," DHS Inspector General John Roth says. "While Secret Service initiated IT improvements late last year, until those changes are fully made and today's recommendations implemented, the potential for another incident like that involving Chairman Chaffetz' personal information remains."
The Secret Service is a unit within DHS.
In September 2015, the IG issued a partially redacted report that said 45 agents accessed Chaffetz' 2003 application to be a Secret Service agent - he wasn't hired - though only four of them had an "arguable legitimate need to access the data." (See IG Reopens Probe Into Secret Service Agents Spying on Chaffetz Files.) The first unauthorized query of Chaffetz' name in the Secret Service database, made by a senior Secret Service agent, occurred 18 minutes after Chaffetz convened a March 24, 2015, hearing on the Secret Service concerning allegations that two agency supervisors breached a crime scene and may have been drunk. Chaffetz was elected to Congress in 2008.
Chaffetz issued a statement characterizing the latest audit issued Oct. 14 as "alarming."
"The Secret Service believes they have a core mission to protect the nation's financial infrastructure from cyber-related crimes, yet can't keep their own systems secure," Chaffetz says. "Despite past warnings, USSS is still unable to assure us their IT systems are safe. The loss or theft of law enforcement sensitive information is disastrous and jeopardizes witnesses involved in criminal cases or the identities of undercover officers, or worse. USSS's cyber-related responsibilities should be moved elsewhere. They lack the right personnel to do the job and senior leadership isn't accountable."
That lack of leadership was raised last year with the earlier audit.
A year ago, the IG's office said it reopened the investigation into the agency's IT management because Secret Service Director Joseph Clancy had a different "recollection of the events in question" than what he told the IG when interviewed on July 17, 2015. Clancy was unaware of the unauthorized access until shortly before the media published accounts of it, according to the IG report. Clancy served 27 years in the Secret Service until retiring in 2011. President Obama appointed Clancy the agency's director in February 2015.
Eliminating the Insider Risk
The new audit points out that the Secret Service must make IT a priority, including implementing an IT governance framework that addresses, at a minimum, the IT organizational and management deficiencies identified in this report. That, the IG report says, would require the Secret Service leadership to fully understand and address the potential for insider-threat risks, not only from system administrators and inadequately managed IT contractors, but also from employees and business partners.
Assistant Inspector General Sondra McCauley, writing in the report, says the Secret Service's new CIO - Kevin Nally - is aware of the severity of the issues and has begun to formulate a strategic plan to address long-standing IT deficiencies. "Time will tell how effective these efforts prove in changing the USSS culture so that a premium is placed on ensuring a holistic information security program with effective technical, operational and management controls," she says.