The DHS's Inspector General has finally released a report [pdf link] on the agency's control of TSA information systems at JFK International Airport. It's been delayed several times, mainly because of (now former) TSA head John Pistole's refusal to communicate with the Inspector General's office.
This report -- which has a release date of January 16, 2015 -- was actually completed on July 22, 2014. It was turned over to the TSA's CIO for a review, which should have been concluded within 30 days. The DHS Chief of Staff asked for additional time after failing to meet this deadline. The Inspector General granted another 30 days, making the new deadline September 17.
This revised due date came and went without a response from the TSA. On October 20th, the TSA finally produced its approved version of the IG's report, but not without several redactions of supposed SSI (Sensitive Security Information). The IG formally challenged the redactions in a November memo to John Pistole. Pistole never responded. Another memo was issued in December, which was also ignored by the TSA chief.
Finally, five months after its sensitive information review, the report was returned to the IG's office. All of the challenged redactions remained.
The IG's letter, which opens up the report, expresses his displeasure at the TSA's stalling tactics and secrecy.
I am disappointed in both the substance of the decision as well as its lack of timeliness. In 2006, Congress, concerned about delays in appeals of this nature, directed the Department to revise DHS Management Directive 11056.1 to require TSA to require timely SSI reviews. Given the clear requirement for timely SSI reviews in response to requests from the public, we hoped that TSA would approach an SSI appeal from the Inspector General with similar diligence, especially because TSA was aware of our deadlines.
Now, to meet our reporting requirement, we are compelled to publish a redacted report with SSI markings and will again ask the head of TSA to overrule the SSI program office's decision.
I believe that this report should be released in its entirety in the public domain. I challenged TSA's determination because this type of information has been disclosed in other reports without objection from TSA, and because the language marked SSI reveals generic, non-specific vulnerabilities that are common to virtually all systems and would not be detrimental to transportation security. My auditors, who are experts in computer security, have assured me that the redacted information would not compromise transportation security. Our ability to issue reports that are transparent, without unduly restricting information, is key to accomplishing our mission.
So, here we have a clear case of the TSA thwarting its own oversight in order to withhold information from the public. These are the sorts of things the TSA doesn't
want you to see.
The TSA believes that exposing this information (such as the locations of its unsecured areas) will create a security risk, but it doesn't explain how that would be any different from the state the areas were in when the OIG inspected them. Unless JFK's TSA staff haven't taken any
steps, the issues pointed out in the report like exposing the location of these areas (and, I don't know, CLOSING AND LOCKING DOORS), shouldn't matter.
As for redacting the number of vulnerabilities found in the TSA's servers, the only plausible explanation is that every number in those blacked-out charts is higher than agency feels comfortable disclosing. Whether the number is 2 or 9 really doesn't matter. (In one total column, it's obviously a two-digit number.) It only takes one
hole to compromise a system.
While the TSA managed to withhold some information, much of what's left untouched isn't exactly flattering. The TSA's "security theater
" apparently extends to its internal operations. We know the TSA generally "catches" terrorists
by allowing airborne passengers do all the heavy lifting. This same "work ethic" applies to securing its own systems. From the looks of what the IG found, TSA agents at JFK apparently believe internal security is someone else's job and even the most basic
of controls haven't been implemented.
At JFK, TSA did not have visitor logs in any of its communication rooms to document the entry and exit of visitors to these rooms that contain sensitive IT equipment.
Fire protection, detection, and suppression controls were not present in many TSA communication rooms. Specifically, 14 of the 21 rooms inspected that contained sensitive equipment did not have fire extinguishers…
Compounding the issue of fire detection and mitigation, only 7 of 21 the rooms inspected contained smoke detectors. Smoke detectors alert the appropriate personnel of a potential fire and possible hazard.
Several TSA communication closets located in the JFK terminals contained storage items and cleaning supplies. For example, we found TSA equipment on top of an unlocked TSA telecommunication cabinet surrounded by a ladder, boxes, trash, and cleaning supplies. The ladder, boxes, and cleaning supplies are all harmful to IT equipment. Additionally, there was no sign in sheet, and non-TSA personnel used the room for equipment storage.
TSA did not have an operable uninterruptible power supply (UPS) in three communication cabinets…
A sensitive equipment cabinet located in a public area was unlocked and left open to run an extension cord to a nearby electrical outlet for power.
The door to the secure Explosive Detection Systems room, where TSA reviews x-ray images of luggage to determine if suspicious checked luggage requires additional inspection, was propped open to vent a portable air conditioning unit, violating physical security controls.
The IG makes several recommendations, most of which can be boiled down to four words: FOLLOW EXISTING DHS POLICIES.
Since this report contains inspections of every other DHS agency with operations at the JFK airport, similar faults were found for both CBP (Customs and Border Protection) and ICE (Immigrations and Customs Enforcement). However, one agency managed to pass inspection: the Secret Service.
USSS fully complied with DHS operational, technical, and management operational policies for its telecommunication room at JFK. We audited IT security controls of the USSS telecommunication room located at the JFK on-site building number 75. This location had a DHS OneNet connection and a network switch device. The telecommunications room was clean and well maintained. Visitor’s logs were also maintained. Humidity and temperature sensor readings were within DHS policy guidelines. Since, the JFK location did not have an on-site server, vulnerability scans were not applicable.
Say what you will about its inability to secure the White House
, but the Secret Service
-- which oversees travel of dignitaries and government officials on over 800 flights per year -- has its JFK operations locked down tight.
What we have detailed here is another security agency making an effort to thwart its oversight. The TSA managed to delay a critical report by 6 months and withhold supposedly "sensitive" information over the repeated protests of the Inspector General. In doing so, it has shown Americans who really holds the power in Washington -- and it isn't these agencies' internal and external oversight.