Audit , Governance & Risk Management
IG Disputes TSA Edits of Security Audit
Inspector General Sees No Need to Keep Assessment SecretThe Department of Homeland Security's inspector general is protesting redactions made by the Transportation Security Administration to a security audit of DHS information systems at New York's JFK airport.
See Also: Webinar | Prepping for IT Security Audits in 2025: Considerations for Modern PAM Programs
Officials at the TSA, part of DHS, classified sections of the report as sensitive security information, or SSI, which by law cannot be included in a public report.
Inspector General John Roth, in a statement issued Jan. 23, characterized the TSA action as an abuse of SSI classification, and reluctantly issued a redacted version of the audit to the public. Roth furnished an unedited version of the report, "Audit of Security Controls for DHS Information Technology Systems at John F. Kennedy International Airport," to congressional oversight committees.
"Over-classification is the enemy of good government. SSI markings should be used only to protect transportation security, rather than, as I fear occurred here, to allow government program officials to conceal negative information within a report," Roth said. "I believe - and the computer experts on my staff confirm - that this report should be released in its entirety in the public domain."
Seeking to Fulfill Mission
Roth said that previous publicly released inspector general reports had contained similar material and that the contents of the new report posed no threat to transportation security. "Our mission is to inform the public, Congress and the DHS leadership about fraud, waste and mismanagement in DHS programs and operations," he said. "Issuing full reports without redactions is key to accomplishing that mission."
On Nov. 19 and again on Dec. 19, Roth sent formal memos protesting the deletions to then-TSA Administrator John Pistole. The memos also cited delays in TSA's review of the IG report, which was issued to TSA officials in draft last July 22.
DHS spokeswoman Ginette Magaña wouldn't publicly discuss the rationale behind classifying parts of the audit, but says the department has taken corrective actions on the airport systems to resolve existing vulnerabilities, secure IT equipment from unauthorized access and ensure that environmental controls for the airport are established, documented and implemented to provide needed protection. She says DHS also has developed plans of action and milestones to address the recommendations in the IG audit.
"Ensuring the security and integrity of our information technology systems that support our wide-ranging missions to protect the homeland is a high priority for DHS," Magaña says.
Redacted Portion of IG Report
Source: Department of Homeland Security Inspector Geneal.
But Rep. Bennie Thompson, the ranking member on the House Homeland Security Committee, says classifying information as sensitive or secret should only be done if national security could be at risk. "Proper transparency is key to good governance and by insisting this report be partially redacted, TSA undercuts this transparency," says Thompson, D-Miss. "Unfortunately, government agencies have all too often over-classified material under the pretext of security in order to sweep negative or embarrassing information under the rug. I hope that the acting administrator (Melvin Carraway) promptly reviews the decision to classify portions of the report and reverses this decision."
Lack of Incentive
Herbert Lin, a senior research scholar for cyber policy and security at Stanford University's Center for International Security and Cooperation, says a fundamental problem in government is that there is no incentive to refrain from classifying information that doesn't threaten national security.
"The persons responsible for making classification decisions look at a piece of information and ask themselves, 'Do I classify or not classify?'" Lin says. "If they do not classify, and it turns out that the information should have been classified, there's all kinds of hell to pay. If they do classify and it turns out it should not have been classified, there's no penalty for anyone."
To limit over-classification, Lin advocates assessing agencies a fee for the right to classify. "In a time of limited resources," he says, "this would give classifiers some incentive to refrain from classifying information unless it were truly valuable."