In what Department of Homeland Security (DHS) Inspector General (DHS IG) John Roth believes is an attempt to conceal negative information from the public, the Transportation Security Administration (TSA) redacted information from a recent IG audit report on TSA’s computer security shortcomings at John F. Kennedy International Airport.
After reviewing the IG’s draft report last year, TSA redacted several sections of the report as Sensitive Security Information (SSI). However, the IG stated, there is no valid reason to be shielding this information from the public. Roth asserted that hiding behind the SSI label is a significant abuse of TSA’s power.
By TSA’s definition, SSI is information obtained or developed which, if released publicly, would be detrimental to transportation security."
TSA further says, "We strive to balance our information sharing by keeping our programs transparent to the American public while protecting information that could be used to endanger lives."
TSA’s current SSI regulation lists sixteen categories of information that are considered SSI, including security plans, specifications for screening equipment, threat information and details regarding security screening information.
According to the Department of Justice, the new Exemption 3 statute for "critical infrastructure information" (CII) under the Freedom of Information Act (FOIA) — which now applies to SSI information held by DHS only — is one of ‘a growing trend [of] statutes enacted in recent years [that] contain disclosure prohibitions that are not general in nature but rather are specifically directed toward disclosure under the FOIA in particular.’”
Regarding SSI disclosed by TSA or the Coast Guard pursuant to 49 CFR Part 1520 of the Homeland Security Act, any “record” requested by a FOIA may be released “with the SSI redacted, provided the record is not otherwise exempt from disclosure under FOIA or Privacy Act.
Statute (49 CFR Part 1520) provides TSA the authority to "authorize a conditional disclosure of specific records or information that constitute SSI upon the written determination by TSA that disclosure of such records or information, subject to such limitations and restrictions as TSA may prescribe, would not be detrimental to transportation security."
“I believe that this report should be released in its entirety in the public domain,” Roth said. “I challenged TSA’s determination because this type of information has been disclosed in other reports without objection from TSA, and because the language marked SSI reveals generic, non-specific vulnerabilities that are common to virtually all systems and would not be detrimental to transportation security.”
“My auditors, who are experts in computer security, have assured me that the redacted information would not compromise transportation security," Roth stated.
Although the IG also evaluated the security controls for IT systems supporting homeland security operations of Customs and Border Protection (CBP), Immigration and Customs Enforcement (ICE) and US Secret Service (USSS), the IG honed in on TSA’s needless classification of information.
“Over-classification is the enemy of good government," Roth said, explaining that, "SSI markings should be used only to protect transportation security, rather than, as I fear occurred here, to."
Although a draft of the report was provided to TSA for comment and review on July 22, 2014, the IG did not receive the revised report until nearly three months later, October 20. The revision contained several redactions which Roth challenged in a memo to then TSA Administrator John Pistole.
Pistole, however, never responded prior to stepping down as TSA administrator. Finally, on January 13, 2015, the Acting TSA Administrator responded to Roth’s letter, unsurprisingly affirming the original redactions. In turn, Roth expressed his concern about "both the substance of the decision as well as its lack of timeliness.”
“Our ability to issue reports that are transparent, without unduly restricting information, is key to accomplishing our mission,” Roth said.
The report stated TSA failed to follow security protocols in a number of areas at JFK, the sixth busiest airport in the United States, placing JFK airport at a significant security risk.
The IG found TSA failed to fully comply with operational, technical and management policies for its servers and switches operating at JFK. Moreover, the IG uncovered deficiencies in the physical security and access controls for a number of TSA server rooms and communication closets. Additionally, TSA failed to implement known software patches to servers at JFK and did not properly manage the controls closed-circuit cameras.
The IG determined a number of these security lapses put JFK airport at significant risk.
For example, 21 server/switches rooms lacked humidity controls; a sensitive equipment cabinet located in a public area was unlocked and left open to run an extension cord to a nearby electrical outlet for power; and 14 of the 21 rooms inspected that contained sensitive equipment did not have fire extinguishers.
TSA also did not have visitor logs for any of its communications rooms that contain sensitive IT equipment to document the entry and exit of visitors to these rooms. The report stated, “When unauthorized individuals gain access to locations where sensitive computing resources reside, there is an increased risk of system compromise and data confidentiality, integrity and availability concerns.”
In response to the IG’s concerns that the redactions are unnecesaary, Rep. Bennie G. Thompson, the ranking Democrat on the House Committee on Homeland Security, said Pistole’s successor should review the report and consider releasing without redactions.
"Proper transparency is key to good governance and by insisting this report be partially redacted, TSA undercuts this transparency,” Thompson said, adding, “Unfortunately, government agencies have all too often over-classified material under the pretext of security in order to sweep negative or embarrassing information under the rug.”