The Secret Service and the Office of Immigration and Customs Enforcement are failing to take a number of basic cybersecurity precautions, according to an Office of Inspector General report released on Tuesday.
ICE and the Secret Service, which fall under the Department of Homeland Security, have website vulnerabilities that leave employees open to common cyberattacks, according to the report. “Successful exploitation of these vulnerabilities could allow an attacker to mislead a legitimate user to providing sensitive information, conduct privileged functions, or execute clickjacking attacks,” the report states.
Clickjacking refers to a technique in which users open a page that appears to be legitimate, but is actually a false page created by a hacker. The user enters his login credentials on the page, and it transmits him to the perpetrator. Such techniques are the most common method used by foreign governments, most notably China and Russia, to hack U.S. systems.
Russian hackers accessed email servers held by the Joint Chiefs of Staff in early August, while Chinese hackers reportedly accessed the Office of Personnel Management this year. Provided the Chinese government was behind the hack on the OPM, they likely already have information on nearly all Homeland Security employees. However, being able to access ICE or Secret Service systems would give them an even greater intelligence advantage.
Additionally, the report found that ICE was failing to conform to various federal cybersecurity guidelines. That included a failure to rename administrative accounts, which makes systems accessible to anyone who could hack a password. It also includes allowing sensitive system data to be saved on employees’ workstations, making it available to anyone with physical access to the agency’s computers.
The IG also found the agencies guilty of lesser transgressions, such as failing to provide “annual, specialized security training” for individuals with “significant security responsibilities.”
Additionally, investigators said, interdepartmental communication was not taking place effectively, which reduced efficiency across agencies. “Cyber personnel do not have a clear understanding of each other’s responsibilities and operational and investigative capabilities,” the report stated.
The IG made a number of recommendations, including department-wide training programs and security enhancements that would eliminate basic system vulnerabilities. Homeland Security responded that it agreed with the inspector general’s assessment, and said it would implement a plan to complete the reforms by March 2016.
