One of the federal government departments tasked with fending off cyberthreats has no clear plan for doing so in federal buildings, while another agency that oversees federal facilities is not keeping up with government standards, a government audit found.
In a week where President Barack Obama delivered two speeches on cybersecurity, the Government Accountability Office released a report faulting the security lapses of both the Department of Homeland Security and the General Services Administration.
President Barack Obama speaks about cybersecurity alongside Secretary of Homeland Security Jeh Johnson as he visits the National Cybersecurity and Communications Integration Center in Arlington, Virginia, Jan. 13, 2015. (AFP Photo/Saul Loeb)
Cyberthreats could disable computers that control and monitor building operations including elevators and electrical power.
“The increased connectivity heightens their vulnerability to cyberattacks, which could compromise security measures, hamper agencies’ ability to carry out their missions, or cause physical harm to the facilities or their occupants,” the GAO report said.
The report said that “no one within DHS is assessing or addressing cyber risk to building and access control systems particularly at the nearly 9,000 federal facilities protected by the Federal Protective Service (FPS) as of October 2014.”
In 2013, the DHS National Protection and Programs Directorate assessed the physical security and cybersecurity of federal facilities, but the GAO report says there is no strategy for dealing with the cyber risks and how to fix the problems.
“The absence of a strategy that clearly defines the roles and responsibilities of key components within DHS has contributed to a lack of action within the department,” the GAO report said.
DHS officials said in response to the report that a strategy is not yet in place “in part, because cyber threats involving these systems are an emerging issue.”
Further, the Interagency Security Committee (ISC), which is housed within DHS and is charged with developing security standards for nonmilitary federal facilities, did not address cybersecurity in drafting its Design- Basis Threat report that identifies numerous other threats.
An ISC official told the GAO said that public shootings and workplace violence incidents around the country have caused panel to focus first on physical threats.
In his speech Tuesday on cybersecurity, Obama did not seem to believe the threat was a secondary concern.
"We want cybercriminals to feel the full force of American justice, because they are doing as much damage, if not more, these days as folks who are involved in more conventional crime," Obama said.
On the GSA, the audit determined that 20 of the 110 agency security assessment reports from 2010 through 2014 were did not comply with federal guidelines under the 2002 Federal Information Security Management Act, a post-9/11 security law.
In one example, in five of the 20 GSA security reports reviewed in the audit did not show that the password-complexity rules were enforced.