Key Homeland Security agency deemed ill equipped to fight fast-growing homeland threat

The Homeland Security agency charged with protecting U.S. airline and train passengers is significantly deficient in protecting its sensitive information systems from cybersecurity attacks that are becoming a growing threat across the globe, the department’s internal watchdog warns in a stinging new report.

The Transportation Security Administration (TSA) was found deficient in 8 of 10 categories, incapable of ensuring “it will be able to quickly detect, respond to, and recover from a cyberattack,” Homeland’s inspector general declared in a report released this week ahead of one of the busiest travel weekends of the year with the Labor Day holiday.   

In 2015, in response to increasing cyber threats, the Office of Management and Budget created the High Value Asset (HVA) security initiative tasking federal agencies with identifying their most important assets. These assets include “federal information systems, information, and data for which unauthorized access, use, disclosure, disruption, modification, or destruction could cause a significant impact to national security interests, foreign relations, the economy, safety, and the security of the American people.”

According to Homeland’s inspector general, the Cybersecurity and Infrastructure Security Agency (CISA) along with the National Institute of Standards and Technology (NIST) subsequently developed guidelines to ensure the government’s information systems were more secure and achieved “effective risk management.”

These guidelines and procedures are especially important for the TSA as the agency tasked with protecting the nation’s transportation systems, including our airports, mass transit systems, rail, highways, and ports, the report said. Transportation is identified as one of the 16 critical infrastructure sectors defined by CISA, “considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”

The watchdog’s investigation concluded that TSA  “did not implement effective controls to protect the sensitive information processed by the selected HVA system.” The IG noted that this leaves the agency particularly vulnerable to cyberattacks which could undermine its functions and endanger our security.

The IG identified “deficiencies” in 8 out of 10 security areas governed by guidelines from NIST on proper security and privacy controls to protect the sensitive information contained in the system.

In one instance, the IG found that during its review of the selected system the TSA’s “vulnerability management software became unable to deploy patches to more than 700 workstations.” This caused an issue with communication between TSA’s vulnerability management software and the workstations, preventing data from being collected from August 2022 at least until the end of the review in November 2022.

During this same period, CISA updated its Known Exploited Vulnerabilities (KEV) catalogue, which identifies potential gaps in security that should be remedied. The OIG report found that the TSA was unable to update its systems properly because of the communications issue with the vulnerability management software. This left those select systems vulnerable to the security gaps identified by CISA.

Though the IG report does not specify which High Value Asset (HVA) system it audited, a document obtained from the Department of Homeland Security website lists systems covered under this designation that range from a “Fingerprint Submission Portal,” to a “Law Enforcement Database Access,” to the agency’s secure email system. The national security implications if any of these systems were compromised by a cyberattack are clear.

In fact, in July of this year, Microsoft confirmed that Chinese hackers had succeeded in accessing some its customers’ email systems. CISA then reported that an unnamed federal agency noticed suspicious behavior on its email servers the month prior and had reported that information to both CISA and Microsoft. A statement from the State Department indicated that it may have been the affected agency, according to contemporaneous reporting by NPR.

Chinese-connected hackers have continuously presented a threat to improperly secured federal systems. In April 2021, the Washington Post reported that “Sophisticated Chinese government hackers are believed to have compromised dozens of U.S. government agencies, defense contractors, financial institutions and other critical sectors.”

First reported in 2015, at the time the HVA system was being implemented, Chinese hackers perpetrated one of the most famous of these intrusions, a wide-ranging hack of the Office of Personnel Management, where upwards of 22 million people inside and outside of government had their personal information stolen. This trove included millions of applicants for security clearances having their social security numbers or other personal identifying information stolen.

Likewise, two Iranian nationals have been indicted in New York with hacking a state voting system during the 2020 election, stealing some voter’s identify information and using it to send “threatening email messages to intimidate and interfere with voters,” according to the Justice Department's indictment.

The IG report concluded the TSA also had deficiencies in supply chain management in the HVA system it analyzed. The report noted that “system administrators stated that TSA did not currently have a system-specific plan for managing the selected HVA system’s supply chain risks.” Yet, the NIST requires organizations to have a plan to address and mitigate supply chain risks. These requirements were reinforced by Executive Order 14028, signed by President Biden at the beginning of his term, which directed agencies to improve guidelines and requirements for “software supply chain security.”

More troubling, the watchdog report warned the HVA system administrators relayed that “TSA does not have an overall supply chain risk management plan for its IT assets but was developing a draft at the time of [their] review.” This potentially leaves many of the TSA’s systems and hardware vulnerable to supply chain security issues after NIST guidelines and President Joe Biden’s executive order were developed to mitigate these very issues.

The OIG report notes that the TSA has responded to all the office’s recommendations to improve the shortfalls in security, though the OIG considers the issues “open and resolved” until “TSA provides documentation showing that all planned corrective actions are completed.”