This article is more than 1 year old
Homeland Insecurity: OIG audit identifies numerous deficiencies
'May allow unauthorized individuals access to sensitive data'. You don't say
Sharing is the key
After a leaderless year, the DHS cybersecurity centre is now being run by Andy Ozment – a Cambridge-educated computer scientist who was one of the lead investigators of the Office of Personnel Management breach earlier this year.
The audit states the DHS has taken positive steps towards improving information sharing and coordination on incident response and investigation.
Information sharing between federal agencies is considered key to improving the US' cybersecurity, and a proposed Cybersecurity Information Sharing Act (CISA) was introduced by Senator Dianne Feinstein (D-CA) in 2014, although it had to be reintroduced by Senator Richard Burr (R-NC) as it did not reach a full senate vote before the end of the congressional session.
During its most recent reading in August, the DHS deputy secretary, Alejandro Mayorkas, wrote to Senator Al Franken (D-MN) to complain about CISA.
Among Mayorkas' complaints was an uncharacteristic claim that the legislation would risk "sweeping away important privacy protections and civil liberties". Commentators suggested that the agency, which is considered to have a legacy of hostility towards civil liberties, might more honestly have resented its removal as an information-sharing middleman.
Claims that the DHS leveraged its position as middleman to assert its own importance could be substantiated by the audit, which found that "an automated cyber information sharing tool is needed to enhance coordination among the components."
At the time of writing, the OIG considered only two of its recommendations to be "open and unresolved", both of which regard security vulnerabilities.
The DHS is yet to "mitigate identified website vulnerabilities or accept the risk by documenting the weaknesses."
The agency must also "create, update, and maintain [Plans of Actions and Milestones (POA&Ms)] for all known information technology security weaknesses".
Although the DHS attempted to convince the auditors that it had been dealt with, the OIG maintains that it has not. ®
Biting the hand that feeds IT
