DHS Inspector General Says Office Has No Idea How New Cybersecurity Act Is Supposed To Be Implemented

from the OIG-to-Congress:-you-made-this-mess,-now-fix-it dept

The reanimated CISA, redubbed The Cybersecurity Act (a.k.a., OmniCISA) and hurried through the legislative process by stapling its 2000 pages to the back of a “must-pass” budget bill, is still in the processes of implementation. Not much is known about what the law is intended to do on the granular level, other than open up private companies to government surveillance so the USA can beat back “the cyber.”

Surveillance aficionados were quick to lean on private companies to start sharing information, but the government needs to be taught new tricks as well. There’s plenty of info siloing at the federal level, which keeps the DHS, FBI, and others involved in the cyberwar from effectively communicating, much less sharing anything interesting they might have had forwarded to them by the private sector.

The federal government has been less than successful in securing its own information — something CISA was also supposed to fix. The DHS’s Inspector General has performed a follow-up investigation on the department’s implementation of CISA’s requirements. For the most part, things seem to be moving forward, albeit in a vague, undefined direction.

The OIG notes that the DHS has put together policies and procedures and, amazingly, actually implemented some of them. Better still, it has moved many critical account holders to multi-factor authorization. Unfortunately, the DHS still has a number of standalone systems that can’t handle multi-factor authorization, which will make them more vulnerable to being breached.

That’s pretty much the end of the good news. There are still holes in the DHS’s data systems at a very critical juncture. From the report [PDF]:

Although the Department has established software inventory policies, not all DHS components used data exfiltration protection capabilities to support data loss prevention, forensics and visibility, and digital rights management. Further, the Department had not developed policies and procedures to ensure that contractors implement data protection solutions.

Then there’s this part of the report, which shows that no one truly understands the 2000-page law — not even the DHS’s first level of oversight, which can’t even tell what the agency is supposed to be doing to comply with the new law. (h/t Eric Geller)

DHS and its Components can benefit from additional data protection capabilities and policy to help ensure sensitive PII and classified information are secure from unauthorized access, use, and disclosure. We are submitting this report for informational purposes to the appropriate Congressional oversight committees, as required by the Act. Due to a lack of specific criteria, this report contains no recommendations.

This explains why the report is so short: the OIG doesn’t have anything to work with. Two thousand pages and yet the Cybersecurity Act’s demands and goals remain so vague that all the Inspector General can do is take a cursory look at the DHS’s security protocols and see if they’ve improved. Beyond that, the DHS and its Inspector General have no specifics to guide them and no firm goals to reach. So, the Inspector General’s office is doing the only thing it can do: kick the problem over to the legislators who created it.

This is already quite the problem considering the DHS is flying blind with achieving its internal directives. What makes matters worse is the DHS is a clearinghouse for the information and data obtained from private companies — like ISP monitoring of user activity for “cybersecurity purposes” — and is in charge of determining whether or not any personally-identifiable information needs to “scrubbed” before it is passed on to other government agencies.

If it doesn’t have enough guidance to determine what direction it should be going in securing its own systems, it presumably has far less when it comes to the handling of private sector information. Those privacy protections were stripped during CISA’s swift push through Congress and replaced with a DOJ judgment call on whether or not the DHS has performed an adequate scrub before handing over data to the FBI, NSA, et al. “Lack of specific criteria” pretty much defines the government’s approach to domestic surveillance — which is enabled by this law: grab it all now; figure it out later.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “DHS Inspector General Says Office Has No Idea How New Cybersecurity Act Is Supposed To Be Implemented”

Subscribe: RSS Leave a comment

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Older Stuff
13:40 It's Great That Winnie The Pooh Is In The Public Domain; But He Should Have Been Free In 1982 (Or Earlier) (35)
12:06 Norton 360 Now Comes With Crypto Mining Capabilities And Sketchy Removal Process (28)
10:45 Chinese Government Dragnet Now Folding In American Social Media Platforms To Silence Dissent (14)
10:40 Daily Deal: The 2022 Ultimate Cybersecurity Analyst Preparation Bundle (0)
09:29 A Fight Between Facebook And The British Medical Journal Highlights The Difficulty Of Moderating 'Medical Misinformation' (9)
06:29 Court Ruling Paves The Way For Better, More Reliable Wi-Fi (4)
20:12 Eighth Circuit (Again) Says There's Nothing Wrong With Detaining Innocent Minors At Gunpoint (15)
15:48 China's Regulatory War On Its Gaming Industry Racks Up 14k Casualties (10)
13:31 Chinese Government Fines Local Car Dealerships For Surveilling While Not Being The Government (5)
12:08 Eric Clapton Pretends To Regret The Decision To Sue Random German Woman Who Listed A Bootleg Of One Of His CDs On Ebay (29)
10:44 ICE Is So Toxic That The DHS's Investigative Wing Is Asking To Be Completely Separated From It (29)
10:39 Daily Deal: The 2022 Complete Raspberry Pi And Arduino Developer Bundle (0)
09:31 Google Blocked An Article About Police From The Intercept... Because The Title Included A Phrase That Was Also A Movie Title (24)
06:22 Wireless Carriers Balk At FAA Demand For 5G Deployment Delays Amid Shaky Safety Concerns (16)
19:53 Tenth Circuit Denies Qualified Immunity To Social Worker Who Fabricated A Mother's Confession Of Child Abuse (35)
15:39 Sci-Hub's Creator Thinks Academic Publishers, Not Her Site, Are The Real Threat To Science, And Says: 'Any Law Against Knowledge Is Fundamentally Unjust' (34)
13:32 Federal Court Tells Proud Boys Defendants That Raiding The Capitol Building Isn't Covered By The First Amendment (25)
12:14 US Courts Realizing They Have A Judge Alan Albright Sized Problem In Waco (17)
10:44 Boston Police Department Used Forfeiture Funds To Hide Purchase Of Surveillance Tech From City Reps (16)
10:39 Daily Deal: The Ultimate Microsoft Excel Training Bundle (0)
09:20 NY Senator Proposes Ridiculously Unconstitutional Social Media Law That Is The Mirror Opposite Of Equally Unconstitutional Laws In Florida & Texas (25)
06:12 Telecom Monopolies Are Exploiting Crappy U.S. Broadband Maps To Block Community Broadband Grant Requests (7)
12:00 Funniest/Most Insightful Comments Of 2021 At Techdirt (17)
10:00 Gaming Like It's 1926: Join The Fourth Annual Public Domain Game Jam (6)
09:00 New Year's Message: The Arc Of The Moral Universe Is A Twisty Path (33)
19:39 DHS, ICE Begin Body Camera Pilot Program With Surprisingly Good Policies In Place (7)
15:29 Remembering Techdirt Contributors Sherwin And Elliot (1)
13:32 DC Metro PD's Powerful Review Panel Keeps Giving Bad Cops Their Jobs Back (6)
12:11 Missouri Governor Still Expects Journalists To Be Prosecuted For Showing How His Admin Leaked Teacher Social Security Numbers (39)
10:48 Oversight Board Overturning Instagram Takedown Of Ayahuasca Post Demonstrates The Impossibility Of Content Moderation (10)
More arrow
This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it