Auditors found that the Environmental Protection Agency had 30 systems containing sensitive personally identifiable information — but didn’t reveal much else — in a summary of a cybersecurity report released Wednesday.
“There could be a little bit more transparency in here,” said John Pescatore, director of emerging security trends at the SANS Institute, a cybersecurity research company.
EPA’s Office of Inspector General said in the overview that of the 30 relevant systems identified, auditors sampled two for its report. It also noted that EPA does not own any systems that hold national security information. The EPA IG on Thursday also released a separate summary of a similar audit for the Chemical Safety Board, which it also oversees, reporting the board has one system that stores sensitive PII.
“Because the report contains sensitive information, we only made available to the public the ‘At a Glance’ page of the report,” Jennifer Kaplan, EPA’s deputy assistant inspector general for congressional and public affairs, said in an email.
The reports were put together to comply with the Cybersecurity Act of 2015, passed last year as part of a larger bill in the wake of the data breach at the Office of Personnel Management and intended to evaluate how agencies fare in some of the most important security indicators, Pescatore said.
Speaking about the EPA report summary, Pescatore noted that he thought evaluating two systems of 30 “seems a little low,” even if the figure accounts for nearly 10 percent of the systems. Also, he said some of the items said to be included in the report — like “reasons why monitoring and detecting capabilities are not used if applicable” — could potentially be released to the public.
“I think there is some information that could be released publicly that’s not going to give away information to attackers,” he noted. The report, he said, could be redacted or sensitive sections could be eliminated.
He added, “This thing they released is pretty much nothing but saying, ‘OK, we did what we had to do.’”
At the same time, Kaplan defended the size of the sample reported in the summary, saying, “It is typical for an audit to review a sample of the total number of systems in place.”
And Braden Perry, a cybersecurity attorney for Kansas City, Kansas-based firm Kennyhertz Perry LLC and a former senior attorney at the Commodity Futures Trading Commission, noted if the agency’s systems are similarly set up from a security standpoint, their processes, practices, policies and procedures would be similar.
“Two out of 30 is a small percentage but could be indicative of the systematic nature of their cyber environment,” he noted in an email.
He added that he wasn’t surprised the findings weren’t made public.
“[T]he EPA agreed with the findings, so likely there are no extraordinarily controversial findings,” he said.