Audits conducted by the DHS inspector general’s office show that the Transportation Security Administration has been extraordinarily lax in basic IT security protocols, leaving the system wide open.
The audits have horrified IT experts and reflect the incompetent management that the agency responsible for keeping us safe in the air is suffering from.
The final report from the DHS Office of Inspector General details serious persistent problems with TSA staff’s handling of IT security protocols. These issues include servers running software with known vulnerabilities, no incident report process in place, and zero physical security protecting critical IT systems from unauthorized access.
What we’re talking about here are the very basics of IT security, and the TSA has been failing at these quite spectacularly for some time.
The report centers on the the way TSA (mis)handles security around the data management system which connects airport screening equipment to centralized servers. It’s called the Security Technology Integrated Program (STIP), and TSA has been screwing it up security-wise since at least 2012.
In essence, TSA employees haven’t been implementing STIP properly — that is, when they’ve been implementing it at all.
STIP manages data from devices we see while going through security lines at airports, namely explosive detection systems, x-ray and imaging machines, and credential authentication.
The bottom line is that the TSA hasn’t followed DHS guidelines for managing STIP equipment, and the risks are grave, as spelled out in the report. “Failure to comply with these guidelines increases the risk that baggage screening equipment will not operate as intended, resulting in potential loss of confidentiality, integrity, and availability of TSA’s automated explosive, passenger, and baggage screening programs.”
The specific problems cited by the IG are not the kind of stuff you want to read before you get on a plane:
In addition to unpatched software and a lack of physical security that allowed non-TSA airport employees access to IT systems, the auditors found overheated server rooms and computers using unsupported systems — and much more.
The observed “lack of an established disaster recovery capability” noted by the OIG is particularly scary. If a data center was taken out by natural disaster, passenger screening and baggage info would be rendered inaccessible.
Not only that, but there was no security incident report process in place, and there was “little employee oversight in maintaining IT systems.” And, auditors were not pleased at all that non-TSA IT contractors maintained full admin control over STIP servers at airports.
So basically, non-vetted IT contractors can fiddle around with servers the TSA uses to protect us. If I didn’t know any better, I would conclude that agency doesn’t care whether you live or die.
Actually, I know better and that is my conclusion.
Has there ever been a federal agency like the DHS that has been run more incompetently and has been incapable of carrying out its mission to protect our borders, protect the president, protect the flying public, and protect us from terrorists? These are the basic functions of the DHS and in every case, there has been failure and mismanagement.
Surely, there’s a better way. DHS should be dissolved and thrown onto the ash heap of history, a bad idea in the first place made worse by inept management.