Federal Insider: Secret Service IT management slammed following Chaffetz breach

Now that the votes are in and the presidential campaign is done, the Secret Service can close an incredibly busy election season.

Perhaps it can turn some of that energy to protecting its computer systems, which suffer from neglect, ignorance and bad management, according to a watchdog’s report.

The report by the Office of Inspector General (OIG) at the Department of Homeland Security is related to the agency’s breach and leak of personal information belonging to Rep. Jason Chaffetz (R-Utah) last year. That was another in a string of embarrassments for a law enforcement agency that has had such a proud tradition.

A 2015 OIG investigation found that 45 employees got into Chaffetz’s 2003 Secret Service job application. Only four had a legitimate need, leaving the rest in violation of the Privacy Act and agency policies. The file snooping began minutes after Chaffetz, chairman of the House Oversight and Government Reform Committee, opened a hearing into allegations of agents’ misconduct.

Chaffetz said the current report, issued last month, shows that “despite past warnings, USSS [U.S. Secret Service] is still unable to assure us their IT systems are safe.” In a letter to Inspector General John Roth, Chaffetz also said the discipline for some agents in his case “is not adequate to deter similar behavior in the future” and asked Roth to continue his investigation.

The October report goes well beyond the Chaffetz case and dissects the agency’s information technology operation in scathing particulars.

Summing up the report, the inspector general’s office offered this mouthful: The “audit uncovers a myriad of problems with Secret Service’s IT management including inadequate system security plans, systems with expired authorities to operate, inadequate access and audit controls, noncompliance with logical access requirements, inadequate privacy protections, and over-retention of records. The OIG concluded that Secret Service’s IT management was ineffective because Secret Service has historically not given it priority. The Secret Service CIO’s [Chief Information Officer] Office lacked authority, inadequate attention was given to updating IT policies, and Secret Service personnel were not given adequate training regarding IT security and privacy.”

The Secret Service agreed with the report’s 11 recommendations, even though officials believe it does not reflect the agency’s recent IT progress. In a memorandum responding to the report, Secret Service Director Joseph P. Clancy noted last year’s hiring of retired Marine Brig. Gen. Kevin Nally as CIO and “the sweeping and unprecedented improvements” under his leadership.