The US Secret Service (USSS) has come under heavy criticism after a government audit found serious cybersecurity failings which could be exposing highly sensitive data.
The Department of Homeland Security Office of Inspector General (OIG) conducted the audit as a follow-up to a September 2015 investigation into USSS staff “improperly accessing and distributing sensitive information” on its Master Central Index (MCI) mainframe system.
It found the Secret Service did not have adequate protections in place on the systems to which MCI data was migrated.
The OIG added:
“USSS information technology management was ineffective, including inadequate system security plans, systems with expired authorities to operate, inadequate access and audit controls, noncompliance with logical access requirements, inadequate privacy protections, and over-retention of records.”
Remarkably, USSS access control policies have not been updated since 2003, the audit found. The Service didn’t operate a principle of least privilege, meaning over 5,000 staff members had access to the MCI, and “high-impact systems” weren’t set up as required for automatic logout “after a specified amount of inactivity”.
The number of concurrent user sessions was also not limited to one.
The report continued:
“These problems occurred because USSS has not consistently made IT management a priority. The USSS Chief Information Officer (CIO) lacked authority for all IT resources and was not effectively positioned to provide necessary oversight. Inadequate attention was given to updating USSS IT policies to reflect processes currently in place. High turnover and vacancies within the Office of the CIO meant a lack of leadership to ensure IT systems were properly managed. In addition, USSS personnel were not adequately trained to successfully perform their duties.”
The Secret Service began updated its IT program late last year and will belatedly be centralizing resources under a full-time CIO.
But the OIG warned that until these changes take effect and can demonstrate effectiveness, systems and data will remain vulnerable.
The audit’s 11 recommendations have been accepted by the USSS and DHS.
Stephen Gates, chief research intelligence analyst at NSFOCUS, argued that the audit “highlights a serious lack of leadership and overall responsibility.”
“Being tasked with protecting our nation’s critical financial infrastructure and payment systems, how can we expect the nation’s financial organizations to clean up their own acts and harden their cyber defences when the agency who has oversight does not do the same?” he added.
“The USSS is also designated to protect our leaders and visiting dignitaries. Hackers and miscreants gaining inside information about USSS protection plans put out leaders and dignitaries at serious risk as well.”