IG blasts secrecy on JFK IT security lapses

The Department of Homeland Security Inspector General says the Transportation Security Administration is using secrecy protections to paper over run-of-the-mill sloppy IT security practices at John F. Kennedy International Airport.

Citing Sensitive Security Information (SSI), the TSA blacked out substantial portions of a report DHS Inspector General John Roth submitted on the security of JFK Airport's IT operations.

In a Jan. 16 letter to Chip Fulghum, acting undersecretary for management, Roth said TSA had overused SSI protections in making redactions in the JFK report. The IT security lapses at the airport, he said, didn’t warrant SSI classification.

Roth said he submitted the draft report for comments in July and, after several extensions, TSA submitted its redactions in October. The IG said in an email to FCW that earlier this month TSA "affirmed its original redaction to the report."

Similar content, argued Roth, was reported in the IG's last two publicly released audit reports on Dallas/Fort Worth and Atlanta Hartsfield airports.

He said the examples of IT security problems his office found at JFK, such as unlocked server rooms, inadequate server protections and a marked scarcity of server room sign-in sheets could spur changes at other facilities if they were more widely known.

"I believe that this report should be released in its entirety in the public domain. I challenged TSA's determination because this type of information has been disclosed in other reports without objection from TSA, and because the language marked SSI reveals generic, non-specific vulnerabilities that are common to virtually all systems and would not be detrimental to transportation security," Roth wrote.

In his letter, Roth added that the vulnerabilities shown wouldn't compromise transportation security. Classifying the information, he said, runs counter to a 2010 law aimed at reducing the amount of classified material.

In a Jan. 23 statement on the report, Rep. Bennie Thompson (D-Miss.), ranking member of the House Homeland Security Committee, agreed with Roth. "Classifying information as sensitive or secret, while withholding it from the public, should only be done if national security could be at risk. Proper transparency is key to good governance and by insisting this report be partially redacted, TSA undercuts this transparency."

The DHS IG's 50-page report on JFK contains photos of some of the more egregious security problems, including pictures of TSA equipment in a corridor-accessible closet with unsecured double doors to a public area next to a TSA terminal security checkpoint; various unlocked server doors; dusty equipment; improperly stored cleaning agents on top of IT equipment; no log in sheets for IT server rooms; and other fundamental lapses that could lead to problems if left unattended.

The report also said TSA didn't have any devices to measure humidity in the 21 server/switch rooms that IG inspectors visited at the airport. Additionally, it said 13 of the 21 server/switch rooms didn't have temperature sensors. Of the eight rooms that did have temperature sensors, only two had temperature readings within the acceptable range established by DHS policy.

"The department has already implemented corrective actions," DHS said in an emailed statement, and "developed plans of actions and milestones to facilitate timely closure of all recommendations in the OIG report."