News
Cybersecurity audit of the US Secret Service found unacceptable vulnerabilities - expert comment
October 2016 by Stephen Gates, chief research intelligence analyst at NSFOCUS
A cybersecurity audit of the US Secret Service found unacceptable vulnerabilities
that leave the possibility of insider-threat activity and privacy violations.
According to this article, the Office of the Inspector General performed a
cybersecurity audit after the Secret Service improperly accessed and disclosed
information about Rep. Jason Chaffetz (R-Utah), chairman of the House Committee on
Oversight and Government Reform, which monitors U.S. Secret Service (USSS)
operations. A number of weaknesses were found, including inadequate system security
plans (SSP), systems with expired authorities to operate, inadequate access and
audit controls, noncompliance with logical access requirements, inadequate privacy
protections and over-retention of records.
Commenting on this, Stephen Gates, chief research intelligence analyst at NSFOCUS,
said "Mandated by Congress, the role of United States Secret Service (USSS) is to
protect our leaders, visiting dignitaries, and designated sites and events in the
U.S. In addition, they’re tasked with safeguarding the nation’s critical
financial infrastructure and payment systems. In other words, they’re responsible
for protecting the “stability” of our nation.
Secrecy is in their name; however, that secrecy may be at risk due to the poor state
of information security within their organisation that was recently exposed.
According to reports, their latest cybersecurity audit points to numerous flaws in
their approach to securing themselves, and our national interests. This situation
highlights a serious lack of leadership and overall responsibility.
Being tasked with protecting our nation’s critical financial infrastructure and
payment systems, how can we expect the nation’s financial organisations to clean
up their own acts and harden their cyber defences when the agency who has oversight
does not do the same. The USSS is also designated to protect our leaders and
visiting dignitaries. Hackers and miscreants gaining inside information about USSS
protection plans put out leaders and dignitaries at series risk as well.
Being unsure what it’s going to take to clean up their internal operations, the
first step they need to take is shoring up their cyber-defensive posture. Hackers
gaining access to “secret” information within their organisation makes us all
more vulnerable. An intelligent hybrid security strategy combined with global
cyber-threat intelligence, cloud defences, and on-premises defence will reduce their
risk; while they take steps to implement good policies and procedures to defend
themselves and our national interests."
