IG: Interior unprepared for cyber threats

The Department of Interior is vulnerable to the theft of sensitive data, unprepared to detect and deal with cyber threats and failing to keep users on its computer network from visiting —downloading materials from — illicit websites, according to a new watchdog report.

During testing at a U.S. Geological Survey facility as part of a department-wide audit, Interior's inspector general identified a "workstation attempting to communicate with IP addresses of known malware command and control website in Russia." The machine, Interior later determined, had been compromised.

Auditors found one Interior network user "had been frequenting websites that hosted pornography" and downloading and saving material from the sites to an external drive.

They also found users on the U.S. Geological Survey network were "actively streaming pirated media from Russian and Ukrainian websites."

Inappropriate and risky network behavior occurred undetected, auditors found, due to deficiencies and inconsistencies in Interior's Office of the CIO incident response program.

Rep. Elijah Cummings (D-Md.), the ranking member of the House Oversight and Government Reform Committee, said the findings "are symptomatic of a much broader problem," pointing to the White House's proposed multi-billion-dollar cuts to many civilian agencies.

"Our country faces an increasing number of sophisticated cyberattacks, so it is critical that the federal government increase the funding and investments we need to secure our IT systems at both our defense and civilian agencies," Cummings said.

As part of its assessment, auditors simulated cyberattacks to access Interior's networks. And while OCIO's incident response tools detected "many" of the tests, "hundreds of thousands" of alerts went unnoticed by OCIO staff because they did not review some enterprise security tools for two weeks, auditors stated.

Due to slow or nonexistent responses to security alerts, sensitive data could be stolen without detection, and risks are not quickly contained or eradicated, auditors stated.

Additionally, auditors reported that OCIO and Interior staff did not investigate "blocked potential threats or inappropriate user behavior" because OCIO's cybersecurity operations group "had been instructed to focus on widespread or confirmed incidents" instead.

"OCIO's blocking of anomalous traffic from bureau computer networks without alerting the affected bureau of the potential cyber threat… directly led to multiple compromised machines remaining on the Department's network for an indeterminate amount of time," the report states.

Further, auditors reported that OCIO's cybersecurity operations team "was not privy to" the department's high-value IT asset list "due to its sensitive nature."

Since those responsible for securing Interior's IT resources could not access the list, "incident response teams could not focus their resources where they were most needed," the report states.

Auditors made 23 recommendations to improve Interior's incident response program and internal controls. Among them are requiring all security incidents to be tracked in a single enterprise system, developing a department-wide policy to address and monitor inappropriate internet usage, as well as the complete replacing or redesigning of the incident tracking system.

Interior concurred with the recommendations, and provided target completion dates.