Poor computer security threatens a Homeland Security program to issue national identification cards to airport, seaport and railway workers, according to a report released last week.
The Department of Homeland Security Office of Inspector General released its report (PDF) on computer security in the Transportation Workers Identity Credential program, saying that security problems with the program’s implementation “may threaten the confidentiality, integrity and availability of sensitive TWIC data.”
“Until remedied, the significant security weaknesses jeopardize the certification and accreditation of the systems prior to full implementation of the TWIC program.”
The program has been fraught with problems from day one, starting with numerous delays caused by Rep. Harold Rogers (R-Ky.) trying — successfully — to get money for the program diverted to contractors in his Congressional district.
The redacted report also identified a broader group of information security concerns that need to be addressed before TWIC is fully implemented. The program lacks clear definitions for assigning and distributing IT system responsibilities, procedures for periodic threat reassessments on people who are granted TWIC cards, procedures for criminal history checks and a records-retention schedule.
In response to the report, the Transportation Security Administration, which is in charge of TWIC, agreed with the findings and supported the recommendations, the report said. — Government Computer News
Who wants a free pass into secured areas of airports?
Skinner recommended in his audit that TSA create a formal office to oversee TWIC security to ensure that weaknesses are fixed.
The program at first is expected to cover 750,000 workers who have unescorted access to secure port areas, including longshoremen, port employees, truck drivers and rail workers. — Baltimore Sun
“It was acknowledged in discussions with [Skinner] that a prototype system will always need further enhancements and additional work to ready it for production,” TSA deputy assistant secretary Robert Jamison wrote in his response to the report.
The problem in this case is not that a prototype system needs further work. The problem is that security took a back seat to politics. And as any security expert will tell you, the proper way to do security is to design it in to the system in the first place, not to try to graft it on later. This likely won’t be the last we hear of security problems with this program.
It should not continue to surprise anyone that a government department with “security” in its name should be unable to provide security, or even to understand security.