A new report from the Office of Inspector General (OIG) contains several recommendations aimed at improving the Department of Homeland Security’s (DHS) mitigation of risk related to malware, ransomware, and phishing attacks.
Threats of cyberattacks have been increasing during the past two decades. According to a joint announcement from DHS, the Department of Defense, and the Department of Justice on August 3, 2020, the Chinese government has been using malware to target government agencies, private sector entities, and think tanks since 2008. Phishing groups used voter registration–related lures to trick people into accessing fake government sites and giving away personal data in the days prior to the 2020 presidential election. And in a March 21, 2022 statement, the U.S. President reiterated his warning to the Nation about the possibility of Russia conducting malicious cyber activity against the United States. Microsoft observed close to 40 destructive attacks on hundreds of Ukrainian systems from February 23 to April 8, 2022, with 32 percent of these attacks directly targeting Ukrainian government organizations at various levels.
In recent years, several DHS components have also been victims of cyberattacks. In May 2019, photos of more than 100,000 travelers coming into and out of the country were stolen during an attack on a U.S. Customs and Border Protection (CBP) subcontractor’s network. Similarly, on October 4, 2020, United States Coast Guard personnel discovered that a database for the Coast Guard Auxiliary had been subject to a malware attack, resulting in the exfiltration of contact information for 59,149 individuals who had expressed interest in joining the Coast Guard Auxiliary.
OIG’s audit found that DHS implements multiple layers of defense against malware, ransomware, and phishing attacks to protect its sensitive information from potential exploitation. In addition, DHS has implemented specific tools and technologies to further detect and prevent security events on component systems and to help protect DHS’ network communication and data.
However, the watchdog said DHS can better protect its sensitive data from potential malware, ransomware, and phishing attacks by revising its policies and procedures to incorporate new controls and ensuring its users complete the required cybersecurity awareness training to mitigate risk.
Seven of the eight DHS components evaluated “did not comply with the requirements for annual cybersecurity awareness training” OIG said. Two components had less than a 50 percent completion rate for the annual cybersecurity awareness training.
OIG results of FY 2019 and FY 2020 cybersecurity awareness training records sampled:
OIG also found that DHS components failed to consistently educate users about the risks of malware, ransomware, and phishing attacks. The watchdog said some organizations covered these topics in more depth than others. For example, DHS Headquarters did not even include the topic of ransomware in its training.
DHS components are required to conduct semi-annual phishing exercises but only four of the eight that OIG evaluated did so. The Coast Guard, DHS Headquarters, and the Federal Law Enforcement Training Centers did not conduct any phishing exercises in FYs 2019 or 2020. U.S. Immigration and Customs Enforcement conducted semi-annual phishing exercises in FY 2020, but the component did not perform any phishing exercises in FY 2019 due to contractual issues.
In response, Coast Guard officials stated that the component follows Defense Department security policy, which does not require phishing exercises.
OIG determined that DHS does not have a centralized process to track or manage cybersecurity awareness training records and that the components are responsible for implementing their own training programs. Component personnel cited a number of reasons for why they could not provide and maintain users’ cybersecurity awareness training records. These included insufficient resources and components’ loss of visibility into training records data during the third quarter of FY 2019; technical challenges with the training platform; changes from one automated tracking method to another; manual processes used by staff to track training completion; and no process to validate training completed outside of training platforms.
The watchdog made ten recommendations in total, with which DHS has agreed. The majority of these are directed at individual components, calling for training to be completed and recorded and for phishing exercises to be conducted. DHS noted some of the steps its components have already taken to address these shortcomings. For example, to ensure that 100 percent of users complete initial and annual refresher security awareness training, CBP developed a report generated from the identity management solution to identify users who are non-compliant. DHS told OIG that this report will enable CBP to identify non-compliant users more accurately and suspend those user accounts, as well as leverage the solution’s detailed audit log to investigate any anomalies. In addition, in March this year, Coast Guard launched new training features including the addition of the “Controlled Unclassified Information” data category and information on handling, which replaces the “For Official Use Only” categorization; telework policies/best practices and resources; and Bring Your Own Devices policies/best practices, applicable to personal laptops and mobile devices.
OIG also recommended that the DHS Chief Information Officer (CIO) update policies and procedures to implement National Institute of Standards and Technology standards to facilitate recovery from an adverse event and maintain operations during malware, ransomware, and phishing attacks. DHS said work is already underway and once complete, the update will streamline existing policy and guidance attachments to make implementing, auditing, and updating easier. For example, the DHS Office of the Chief Information Security Officer is simplifying policy process and procedures; eliminating the Sensitive Systems Handbook; and shortening the underlying document from several hundred pages to fewer than 100 pages. This effort will culminate in a full update of the Sensitive System Policy Directive and all dependent policies by the end of FY 2022.
Finally, OIG called for the DHS CIO to centrally track cybersecurity awareness training results and ensure training consistently covers malware, ransomware, and phishing. DHS responded that it established a cybersecurity training completion reporting schedule at the start of FY 2022 in which components report completion status statistics every April and July and at the end of each fiscal year to the DHS Chief Information Security Officer (CISO). DHS added that is currently researching the overall feasibility, potential costs, and possible cost sharing models for future consideration in building upon this effort.