Audit , Governance & Risk Management

IG Disputes TSA Edits of Security Audit

Inspector General Sees No Need to Keep Assessment Secret
IG Disputes TSA Edits of Security Audit
The DHS inspector general audits computer security at JFK airport.

The Department of Homeland Security's inspector general is protesting redactions made by the Transportation Security Administration to a security audit of DHS information systems at New York's JFK airport.

See Also: Managing Shadow IT Across Your Enterprise

Officials at the TSA, part of DHS, classified sections of the report as sensitive security information, or SSI, which by law cannot be included in a public report.

Inspector General John Roth, in a statement issued Jan. 23, characterized the TSA action as an abuse of SSI classification, and reluctantly issued a redacted version of the audit to the public. Roth furnished an unedited version of the report, "Audit of Security Controls for DHS Information Technology Systems at John F. Kennedy International Airport," to congressional oversight committees.

"Over-classification is the enemy of good government. SSI markings should be used only to protect transportation security, rather than, as I fear occurred here, to allow government program officials to conceal negative information within a report," Roth said. "I believe - and the computer experts on my staff confirm - that this report should be released in its entirety in the public domain."

Seeking to Fulfill Mission

Roth said that previous publicly released inspector general reports had contained similar material and that the contents of the new report posed no threat to transportation security. "Our mission is to inform the public, Congress and the DHS leadership about fraud, waste and mismanagement in DHS programs and operations," he said. "Issuing full reports without redactions is key to accomplishing that mission."

On Nov. 19 and again on Dec. 19, Roth sent formal memos protesting the deletions to then-TSA Administrator John Pistole. The memos also cited delays in TSA's review of the IG report, which was issued to TSA officials in draft last July 22.

DHS spokeswoman Ginette Magaña wouldn't publicly discuss the rationale behind classifying parts of the audit, but says the department has taken corrective actions on the airport systems to resolve existing vulnerabilities, secure IT equipment from unauthorized access and ensure that environmental controls for the airport are established, documented and implemented to provide needed protection. She says DHS also has developed plans of action and milestones to address the recommendations in the IG audit.

"Ensuring the security and integrity of our information technology systems that support our wide-ranging missions to protect the homeland is a high priority for DHS," Magaña says.

Redacted Portion of IG Report


Source: Department of Homeland Security Inspector Geneal.

But Rep. Bennie Thompson, the ranking member on the House Homeland Security Committee, says classifying information as sensitive or secret should only be done if national security could be at risk. "Proper transparency is key to good governance and by insisting this report be partially redacted, TSA undercuts this transparency," says Thompson, D-Miss. "Unfortunately, government agencies have all too often over-classified material under the pretext of security in order to sweep negative or embarrassing information under the rug. I hope that the acting administrator (Melvin Carraway) promptly reviews the decision to classify portions of the report and reverses this decision."

Lack of Incentive

Herbert Lin, a senior research scholar for cyber policy and security at Stanford University's Center for International Security and Cooperation, says a fundamental problem in government is that there is no incentive to refrain from classifying information that doesn't threaten national security.

"The persons responsible for making classification decisions look at a piece of information and ask themselves, 'Do I classify or not classify?'" Lin says. "If they do not classify, and it turns out that the information should have been classified, there's all kinds of hell to pay. If they do classify and it turns out it should not have been classified, there's no penalty for anyone."

To limit over-classification, Lin advocates assessing agencies a fee for the right to classify. "In a time of limited resources," he says, "this would give classifiers some incentive to refrain from classifying information unless it were truly valuable."


About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.