Failures

by Tim Cushing


Filed Under:
dhs, inspector general, redactions, tsa



Redactions To Report On TSA's Internal Security Failures Prompts Angry Response From Inspector General

from the do-what-thou-wilt,-or-mostly-don't;-that-is-the-whole-of-the-policy dept

The DHS's Inspector General has finally released a report [pdf link] on the agency's control of TSA information systems at JFK International Airport. It's been delayed several times, mainly because of (now former) TSA head John Pistole's refusal to communicate with the Inspector General's office.

This report -- which has a release date of January 16, 2015 -- was actually completed on July 22, 2014. It was turned over to the TSA's CIO for a review, which should have been concluded within 30 days. The DHS Chief of Staff asked for additional time after failing to meet this deadline. The Inspector General granted another 30 days, making the new deadline September 17.

This revised due date came and went without a response from the TSA. On October 20th, the TSA finally produced its approved version of the IG's report, but not without several redactions of supposed SSI (Sensitive Security Information). The IG formally challenged the redactions in a November memo to John Pistole. Pistole never responded. Another memo was issued in December, which was also ignored by the TSA chief.

Finally, five months after its sensitive information review, the report was returned to the IG's office. All of the challenged redactions remained.

The IG's letter, which opens up the report, expresses his displeasure at the TSA's stalling tactics and secrecy.

I am disappointed in both the substance of the decision as well as its lack of timeliness. In 2006, Congress, concerned about delays in appeals of this nature, directed the Department to revise DHS Management Directive 11056.1 to require TSA to require timely SSI reviews. Given the clear requirement for timely SSI reviews in response to requests from the public, we hoped that TSA would approach an SSI appeal from the Inspector General with similar diligence, especially because TSA was aware of our deadlines.

Now, to meet our reporting requirement, we are compelled to publish a redacted report with SSI markings and will again ask the head of TSA to overrule the SSI program office's decision.

I believe that this report should be released in its entirety in the public domain. I challenged TSA's determination because this type of information has been disclosed in other reports without objection from TSA, and because the language marked SSI reveals generic, non-specific vulnerabilities that are common to virtually all systems and would not be detrimental to transportation security. My auditors, who are experts in computer security, have assured me that the redacted information would not compromise transportation security. Our ability to issue reports that are transparent, without unduly restricting information, is key to accomplishing our mission.
So, here we have a clear case of the TSA thwarting its own oversight in order to withhold information from the public. These are the sorts of things the TSA doesn't want you to see.




The TSA believes that exposing this information (such as the locations of its unsecured areas) will create a security risk, but it doesn't explain how that would be any different from the state the areas were in when the OIG inspected them. Unless JFK's TSA staff haven't taken any steps, the issues pointed out in the report like exposing the location of these areas (and, I don't know, CLOSING AND LOCKING DOORS), shouldn't matter.

As for redacting the number of vulnerabilities found in the TSA's servers, the only plausible explanation is that every number in those blacked-out charts is higher than agency feels comfortable disclosing. Whether the number is 2 or 9 really doesn't matter. (In one total column, it's obviously a two-digit number.) It only takes one hole to compromise a system.

While the TSA managed to withhold some information, much of what's left untouched isn't exactly flattering. The TSA's "security theater" apparently extends to its internal operations. We know the TSA generally "catches" terrorists by allowing airborne passengers do all the heavy lifting. This same "work ethic" applies to securing its own systems. From the looks of what the IG found, TSA agents at JFK apparently believe internal security is someone else's job and even the most basic of controls haven't been implemented.
At JFK, TSA did not have visitor logs in any of its communication rooms to document the entry and exit of visitors to these rooms that contain sensitive IT equipment.

[...]

Fire protection, detection, and suppression controls were not present in many TSA communication rooms. Specifically, 14 of the 21 rooms inspected that contained sensitive equipment did not have fire extinguishers…

Compounding the issue of fire detection and mitigation, only 7 of 21 the rooms inspected contained smoke detectors. Smoke detectors alert the appropriate personnel of a potential fire and possible hazard.

[...]

Several TSA communication closets located in the JFK terminals contained storage items and cleaning supplies. For example, we found TSA equipment on top of an unlocked TSA telecommunication cabinet surrounded by a ladder, boxes, trash, and cleaning supplies. The ladder, boxes, and cleaning supplies are all harmful to IT equipment. Additionally, there was no sign in sheet, and non-TSA personnel used the room for equipment storage.
TSA did not have an operable uninterruptible power supply (UPS) in three communication cabinets…

A sensitive equipment cabinet located in a public area was unlocked and left open to run an extension cord to a nearby electrical outlet for power.
The door to the secure Explosive Detection Systems room, where TSA reviews x-ray images of luggage to determine if suspicious checked luggage requires additional inspection, was propped open to vent a portable air conditioning unit, violating physical security controls.

The IG makes several recommendations, most of which can be boiled down to four words: FOLLOW EXISTING DHS POLICIES.

Since this report contains inspections of every other DHS agency with operations at the JFK airport, similar faults were found for both CBP (Customs and Border Protection) and ICE (Immigrations and Customs Enforcement). However, one agency managed to pass inspection: the Secret Service.
USSS fully complied with DHS operational, technical, and management operational policies for its telecommunication room at JFK. We audited IT security controls of the USSS telecommunication room located at the JFK on-site building number 75. This location had a DHS OneNet connection and a network switch device. The telecommunications room was clean and well maintained. Visitor’s logs were also maintained. Humidity and temperature sensor readings were within DHS policy guidelines. Since, the JFK location did not have an on-site server, vulnerability scans were not applicable.
Say what you will about its inability to secure the White House, but the Secret Service -- which oversees travel of dignitaries and government officials on over 800 flights per year -- has its JFK operations locked down tight.

What we have detailed here is another security agency making an effort to thwart its oversight. The TSA managed to delay a critical report by 6 months and withhold supposedly "sensitive" information over the repeated protests of the Inspector General. In doing so, it has shown Americans who really holds the power in Washington -- and it isn't these agencies' internal and external oversight.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    nasch (profile), 30 Jan 2015 @ 1:00pm

    USSS

    It would be interesting to look at differences between the USSS and TSA. Such as hiring practices, compensation, training, culture, etc. Clearly it's possible for a government agency to do security right, and there are reasons USSS did it and TSA and the others didn't.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 30 Jan 2015 @ 1:31pm

      Re: USSS

      Turns out that the USSS has had to compete with DHS for funding in the post-9/11 policy world, leading to the various shortcomings we've seen. All the more reason to do away with DHS

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 30 Jan 2015 @ 2:14pm

      Re: USSS

      The biggest difference it that USSS agents are deputized law enforcement officers.

      Can you point us to any statute or regulation that provides TSA agents are also law enforcement officers and have to go through a law enforcement academy?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 31 Jan 2015 @ 5:30am

        Re: Re: USSS

        Actually alot of TSA agents are people who aspire to be cops but are too stupid to make it into LEO academy

        reply to this | link to this | view in chronology ]

  • identicon
    Baron von Robber, 30 Jan 2015 @ 1:04pm

    Wow, their IT looks like the rest of their organization, expensive and useless.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Jan 2015 @ 1:04pm

    What is the point of this?

    I mean really, if they decided to show a room full of dead people that pissed the TSA or USSS off, would anyone really riot? or care?

    All they would need to do is come up with the next 'problem' fast enough to make the good ole public forget about it.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Jan 2015 @ 1:43pm

    i have never experienced such unhelpful and such 'stuck up their own asses' as the members of this group. i doubt if there is a single person who doesn't agree that airport security must be maintained and vigilant but the way these people conduct themselves is a disgrace to the very meaning of the term 'security'! rather than doing what they can to try to find any illegal substances and the people carrying them, the majority of effort seems to be spent being as awkward, as insufferable and as cantankerous as possible to passengers, even more so to those who haven't had the 'experience' before!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Jan 2015 @ 1:47pm

    Vulnerability scans

    Why are they worried about the vulnerability scan data? Afraid the NSA will find and exploit them? It's not like the NSA doesn't have their own exploit list, after all.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Jan 2015 @ 1:52pm

    Time to clear out the entire executive board of the TSA, along with any non-executive directors.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Jan 2015 @ 2:48pm

    people are fools to expect a corrupt organization to follow the laws they pretend they serve.

    reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 30 Jan 2015 @ 3:25pm

    I can see some problems

    The most interesting way to Protect something...

    The Best way I have ever seen for protecting Equipment, when there is restricted space..No where to put it all..
    Is very simple.

    You place it out in Public, where ALL your employees can see it..Let Everyone see it.. Its like a Large Bike rack.. Let everyone watch it, Dont hide it in the back. Use a couple cameras, and let everyone watch it.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Jan 2015 @ 9:10pm

    Fig. 3a

    Installing a card reader (with keypad?) and then keeping the door open with a tube... the best of the best of the best. Good to know the $7+ billion/year are well spent.

    reply to this | link to this | view in chronology ]

  • icon
    GEMont (profile), 31 Jan 2015 @ 9:03pm

    TSA - Terribly Stupid Assholes

    "At JFK, TSA did not have visitor logs in any of its communication rooms to document the entry and exit of visitors to these rooms that contain sensitive IT equipment."

    Now that is damned funny.

    When was the last time anyone can remember that a thief, terrorist, or lost wanderer, stopped to sign his name in a visitor log book before entering an area filled with sensitive government equipment.

    And if were talking about a TSA employee being in the room and handing a visitor a log book to sign upon entrance to the room, then where is the problem of security - the logbook handler is in the room already!

    Does TSA not know who can and cannot enter such rooms??

    Amazing how absolutely every aspect of the TSA is riddled with absurdity, silliness and an apparent complete lack of common sense. Do they have a "Morons Only" limitation on their employment applications?

    ---

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Feb 2015 @ 6:47am

    Great work guys!

    reply to this | link to this | view in chronology ]

  • identicon
    Reality bites, 10 Feb 2015 @ 10:37am

    Not even one DHS employee that should be retained let alone leave in the country

    Every DHS moron should be deported, if you are dumb enough to join, you just failed the citizenship test.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.