While the Transportation Security Administration has made headway in defending against insider attacks, the agency lacks specific policies and procedures to mitigate those threats, according to a recent inspector general audit.
The September audit, released this week, found that TSA has not implemented insider threat policies and procedures that clearly explain its employees’ role in defending against insider threats. TSA also lacks a risk mitigation plan that ensures all employees address the risks of insider threats in a consistent way.
TSA defines insider threat as “one or more individuals with access or insider knowledge that allows them to exploit the vulnerabilities of the nation’s transportation systems with the intent to cause harm,” according to the Department of Homeland Security IG audit. Threats can include spying, release of information, sabotage, corruption, impersonation, theft, smuggling, and terrorist attacks. Insider threats can include current and former employees and contractors.
The report noted that TSA doesn’t have a mandatory insider threat training and awareness program for employees, and it lacks protective measures to ensure unauthorized employees can’t, for instance, dump massive amounts of sensitive data onto a portable storage device.
The IG recommends that TSA’s assistant administrator for information technology:
– Further develop TSA’s insider threat program by including policies, procedures and a risk management plan.
– Require insider threat awareness training for employees.
– Direct systems administrators to disable USB ports on computers and laptops if there is not a legitimate need for them.
– Limit the size of email file attachments until the proper measures are in place to detect or prevent unauthorized exfiltration of sensitive information.
However, TSA said it has developed a directive, currently awaiting approval, that identifies polices and procedures for its insider threat program. The agency stood up a toll free hotline and email address for reporting insider threats and also plans to roll out an insider threat training and awareness program.
The agency said disabling USB ports isn’t feasible but, instead, has an application in place to alert the agency when data is transferred outside DHS networks. TSA also disagreed with any restrictions on email file sizes.
Further discussions between the agency and the IG are required to hash out differing opinions.
In June, Reps. Bennie Thompson, D-Miss, and Sheila Jackson Lee, D-Texas, questioned TSA’s plans to purchase software that monitors employees’ keystrokes, emails and other online activities as part of a larger effort to defend against internal attacks.
In a response letter, TSA Administrator John Pistole said the software would provide TSA with forensic evidence for investigations should an employee ever be identified as a potential insider threat to TSA’s mission.
In an Oct. 3 response letter to the IG audit, the lawmakers requested a detailed description of TSA’s current spending related to the insider threat, an estimate of the anticipated lifecycle cost of the monitoring software the agency plans to buy, when TSA will have policies, procedures and a risk management plan and other information by Oct. 17.