The Department of Homeland Security (DHS) Inspector General (IG) concluded in a 29-page audit report that while the US Coast Guard (USCG) has taken steps to address the risk of insider threats to its information systems and data, is still needs to take additional steps to further address the risks posed by so-called “trusted insiders” inside the Coast Guard.
“An internal breach by a trusted employee could impact [the Coast Guard’s] ability to protect the nation’s maritime interests and environment,” the IG disclosed.
Specifically, the IG said the Coast Guard needs to implement software to protect against the unauthorized removal of sensitive information through the use of removable media devices and email accounts; implementing stronger physical security controls to protect USCG’s information technology assets from possible loss, theft, destruction or malicious actions; and providing insider threat security awareness training for all Coast Guard employees.
According to the IG’s audit report, the Coast Guard “has taken some steps to address the risk of insider threats to its information systems and data, such as establishing an Insider Threat Working Group that’s designed to implement a holistic program focused on the insider risk.”
“In addition,” the IG stated, “USCG implemented a process to verify that system administrators have the appropriate level of access to information technology systems and networks to perform their assigned duties. Further, USCG established the Cyber Security Operations Center to monitor and respond to potential insider threat risks or incidents against USCG information systems and networks.”
The Coast Guard concurred with all three of the IG’s recommendations, which, “if implemented, should strengthen USCG’s management of the threat posed by trusted insiders,” the IG stated.
In its audit of Coast Guard efforts to address the risk posed by trusted insiders, the IG determined the USCG “has taken some steps to address the risk of insider threats,” but that it also discovered “additional steps [that] are needed to further reduce the risk of insider threats to information technology assets.”
The IG said it’s testing “revealed potential vulnerabilities in technical and physical security controls that could allow for:
- The unauthorized data removal from USCG information systems; and
- The loss, theft or destruction of informationtechnology assets.
“In addition,” the IG stated, “insider threat security awareness training is needed for USCG employees.
The IG’s audit report stated, “Trusted insiders could be given elevated access to mission-critical assets, including personnel, facilities, information, equipment, networks or systems. Potential threats can include damage to the United States through espionage, terrorism and unauthorized disclosure of national security information.”
Continuing, the IG said, “Trusted insiders may also be aware of weaknesses in organizational policies and procedures, as well as physical and technical vulnerabilities in computer networks and information systems.”
And “this institutional knowledge poses a continual risk to the organization,” the IG’s audit said, emphasizing that, “In the wrong hands, insiders use this knowledge to facilitate malicious attacks on their own or collude with external attackers to carry out such attacks.”
According to Coast Guard officials interviewed at length by the IG, “a malicious insider could do the most harm to the USCG mission by:
- Compromising sensitive and classified information;
- Damaging operational infrastructure and resources; and
- Causing loss of life through workplace violence.