The U.S. Secret Service has restructured its IT operations and “rectified” many of its information security deficiencies brought to light after dozens of agents accessed and leaked personal records of Rep. Jason Chaffetz, R-Utah, the service’s CIO said during an oversight hearing Tuesday.
“When I arrived…I saw a need for a complete reorganization of the Information Resources Management Division that was under another assistant director to the office of the CIO,” Kevin Nally, who was named to the position last December and a few months after news of the leaks, said in front of Chaffetz’s House Oversight and Government Reform Committee.
“I now have a complete accounting of all IT spending in the Secret Service, I’m the only CIO in the Secret Service, and I’m the only designated approving authority for those systems we operate,” Nally said.
More than 40 agents, including one top official, were disciplined for digging up Chaffetz’s application to join the Secret Service from 2003 and leaking “some information that he might find embarrassing,” according to a Department of Homeland Security report. The move came as an act of retribution against the oversight chairman, who’d opened an investigation into misconduct within the Secret Service.
Referring to the leak of Chaffetz’s information, Nally added, “We now have procedures in place to check for that. People understand the ramifications of their actions in that regard. And plus we have training education on [personally identifiable information] and sensitive types of information.”
As of last month, a report from the service’s Office of the Inspector General showed that its IT services were still in disarray. Committee member Rep. John Duncan, R-Tenn., also quoted a report that says “IT systems in the Secret Service are described as the worst in DHS and that ‘managers cannot even explain basic IT principles…with a culture of mishandling information.’”
But Nally rebutted the notion, claiming that the prior issues are not cultural and that his office has since shored up its information security in other areas, including limiting the ability for agents to access the sensitive information of former applicants.
“It’s not a cultural issue,” he said. “The individuals that did get out of place, do wrong things, is roughly 0.7 percent of the population of the Secret Service.” Likewise, of four systems the IG found without proper security authorizations in October, Nally said three now have their authority to operate, and the fourth will receive authorization by Dec. 31.
“If that’s one thing that comes form this hearing, that at least that can’t happen again, that’s good news,” said Mick Mulvaney, R-S.C.
But Chaffetz wasn’t completely satisfied with Nally’s calling the situation “rectified.”
“I have pictures of your office where somebody emails in their application, it’s printed out, it’s stacked up in the hallway, not in a secure setting, it’s behind a locked door, but it’s certainly not in a secure setting, and then you retype it in?” he said. “How arcane, how bad is the personnel system?”
While Nally and his colleagues maintained that the Secret Service had adequate systems in place for personnel management, Chaffetz questioned once again if the service might not be fit to serve as the cyber protector of the nation’s financial infrastructure, as he did when the IG report was released in October.
“Should we shed off all the things that you’re supposed to be doing as it related to cyber and cyber defenses?” he said. “Because look at the irony here. We’re hearing reports from the inspector general that you don’t even have the basic systems in place to deal with some of the most basic things we have.”