The Department of Homeland Security, the agency charged with protecting the federal government from cyber attacks, is itself vulnerable to such threats because its own outdated computers lack even the basic protections needed to fend off hackers, a new report shows.
The 50-page report, released Monday by the department's Inspector General, found numerous serious flaws in the department's computer security program, starting with the fact that it's run on a nearly obsolete, decade-old operating system.
Six DHS divisions — including the department's headquarters, Customs and Immigration Services and the TSA — are still using Windows XP software, which is far more vulnerable to malware and in just a few months will be considered so outdated that its manufacturer, Microsoft, will stop providing security upgrades for it.
“This report shows major gaps in DHS’s own cybersecurity, including some of the most basic protections that would be obvious to any 13-year-old with a laptop," Sen. Tom Coburn, R-Okla., the top Republican on the Senate Homeland Security and Governmental Affairs Committee, said in a statement.
Coburn believes the report shows the Department of Homeland Security is putting at risk critical information the department maintains about the nation's infrastructure, like the location of chemical facilities, or the personal information it keeps on the millions of people who went through the department's U.S. Citizens and Immigrations Services division.
DHS also is charged with protecting sensitive data on national security matters and criminal activity and records of everyone who enters or exits the country through a U.S. border crossing.
"DHS doesn’t use strong authentication and it relies on antiquated software that’s full of holes," Coburn said. "Its components don’t report security incidents when they should. They don’t keep track of weaknesses when they’re found, and they don’t fix them in time to make a difference."
Other findings from the IG report include:
— In some divisions, employees failed to monitor more than a third of their computers to ensure that security measures are in place and functioning, including software updates and access by unauthorized users.
— Only 59 percent of all DHS computers are being properly managed to ensure software security "patches" are installed.
— DHS computers are vulnerable to hackers because most divisions don't use personal identity verification systems to prevent unauthorized use. The department intended to implement identification verification in half of its divisions this year, but finished only about a third of those divisions, the report found. "The department can greatly increase security to its information systems while decreasing the potential of incidents and outside attacks," the report concluded.
The IG report did credit seven DHS divisions — including the Secret Service, the Federal Emergency Management Agency and the Coast Guard — for keeping their employees "informed regularly" of security threats and vulnerabilities in their computer operating systems.
The report shows that DHS has made "significant progress" with cyber security improvements, but Senate Homeland Security Committee Chairman Tom Carper, D-Del., said it also "highlighted some very important areas in which DHS, like many other federal agencies, can and should improve."