DHS disaster-response database falls short

IG cites lack of security, continuity plans

The Homeland Security Department's primary database for emergency preparedness and response lacks adequate continuity-of-operations plans and protections for sensitive data, DHS' inspector general has concluded in a new report.

Run by the department's Emergency Preparedness and Response Directorate, the National Emergency Management Information System (NEMIS) tracks incident coordination efforts. Officials use the database for activities such as managing disbursements to disaster victims and spending on recovery efforts at the federal and state levels.

Richard Skinner, DHS' IG, wrote in the report released Nov. 7 that "due to database security exposures, there is an increased risk that unauthorized individuals could gain access to critical [Emergency Preparedness and Response] database resources and compromise the confidentiality, integrity and availability of sensitive NEMIS data." He noted that the directorate might not be able to recover the database after a disaster.

The report is another black eye for the directorate that includes the Federal Emergency Management Agency and oversees national efforts to prepare for and respond to disasters. Congress and the public recently criticized DHS and FEMA for their response to Hurricane Katrina, which devastated the Gulf Coast in August.

The IG's report recommends that Barry West, FEMA's chief information officer, fix all remaining vulnerabilities and guarantee that appropriate access-control measures are in place. The CIO's office should also create and implement annual contingency training and testing programs, the IG report states.

In his written response -- which was dated Aug. 10, nearly three weeks before Katrina hit New Orleans -- West said his office had implemented 71 of the 100 security improvements the IG had suggested. West said the report spurred him to mandate annual independent security assessments of NEMIS starting in fiscal 2006.

NEMIS' lack of data security could put thousands of Americans' personal information at risk, said Jennifer Kerber, director of homeland security at the Information Technology Association of America.

The lack of sufficient security and backup procedures for NEMIS data is alarming but not entirely surprising, Kerber said. Poor access control has led to major data breaches in the private sector, she said. "You would find a lot of places don't have as secure a database as they think they do," she added.

"I'm surprised, if [NEMIS] is responsible for that amount of activity, [that] it is not more well-protected," said Mark Ghilarducci, vice president of James Lee Witt Associates, an emergency-management consulting firm. Previously, Ghilarducci was a deputy director at the Governor's Office of Emergency Services in California.

During emergencies, FEMA hires thousands of temporary workers who need access to NEMIS and other computer systems, Ghilarducci said. The directorate needs to create a robust gatekeeping system and ensure that users cannot access the systems after they leave FEMA, he said.

The directorate also should conduct thorough audits of its IT systems to prevent attacks, Ghilarducci said. European hackers once hid pornography on Office of Emergency Services' servers, he said, but the diligence of the IT security staff led to the discovery and removal of the material. Without conscientious auditing, NEMIS might not find that kind of intrusion as quickly, he said.

In its defense, Ghilarducci said, FEMA is suffering from a loss of expertise and funding. "There's no excuse for [their NEMIS performance], but I understand the challenges they face," he said.

Database deficiency diagnosis

The Homeland Security Department's inspector general has found a number of security weaknesses in how DHS' Emergency Preparedness and Response Directorate manages one of its primary databases, the National Emergency Management Information System (NEMIS).

The IG found that the directorate:

  • Lacks effective processes to ensure only the right people have proper access to NEMIS. The system's servers have vulnerabilities associated with access rights, password administration, configuration management and other issues. Those vulnerabilities could make NEMIS operations and data susceptible to cyberattacks.

  • Lacks sufficient procedures to audit NEMIS operations, which increases the risk that the directorate would not be able to detect or quickly investigate illegal access or malicious changes to data.

  • Has not tested the information technology contingency plan for NEMIS or trained employees to use that plan and does not store NEMIS backup tapes in waterproof and fireproof containers.

  • Fails to comply with four requirements of the Federal Information Security Management Act of 2002 and with DHS' overall security policies, procedures and practices.

    -- Michael Arnone

  • Featured

    • Defense
      Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

      Army wants to spend nearly $1B on cloud, data by 2025

      Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

    • Congress
      Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

      Jim Langevin's view from the Hill

      As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

    Stay Connected

    FCW INSIDER

    Sign up for our newsletter.

    I agree to this site's Privacy Policy.