New policies and procedures address issues raised by inspector general report.
Transportation Security Administration (TSA) personnel use technology to screen and share operational data about its operations with airport personnel as well as other government agencies.
The Transportation Security Administration is doing more than just making sure travelers have a safe trip; it also is ensuring the security of the data, video and voice communications that travel on its network. In response to the deficiencies raised in a report issued by the U.S. Department of Homeland Security’s inspector general last year, the administration acknowledged its network flaws and moved forward quickly to correct them. Among the issues that needed to be addressed were policies, processes and procedures concerning security testing, audits, and configuration and patch management.
The inspector general’s report was based on interviews with Transportation Security Administration (TSA) employees, observations, technical scans and documents. The goal was to determine whether the administration had implemented adequate controls to protect its networks. The inspector general’s office determined that progress had been made during the previous year; however, several issues still needed to be resolved.
According to Randy Null, assistant administrator for operational process and technology, chief information officer and chief technology officer, TSA, the report did not reveal any catastrophic findings that the agency had not already recognized. “From my experience, I don’t know of any network in any company or any agency that doesn’t have things that they need to do better. We have indeed made a lot of progress, and there’s a lot of new capability that’s going into place. Certainly, in the business we’re in, it’s a very critical issue for us,” Null says.
TSANet is the administration’s overarching network that connects to local area networks throughout the
A combination of voice, video and data communications run on the TSANet. It is used for town hall meetings as well as for broadcasting information from headquarters to field offices. In addition, the TSA is increasing its usage of voice over Internet protocol and will continue to expand in this area, Null explains.
While he will not share how the video capability is used, Null reveals that one way the TSA employs the capability is by sending training videos over the network.
From the standpoint of data, Null says the administration captures a great deal of data from airports. This information includes daily metrics about operations and security and is used to generate reports that are shared with other TSA members on the network as well as with Department of Homeland Security (DHS) organizations.
The primary deficiencies identified by the inspector general focused on the lack of policies, and Null notes that the TSA not only agreed that the problems exist but also provided many of the remediation recommendations that were included in the report. The administration has since finalized its policies regarding configuration management, patch management and passwords.
“We created a policy project team, and team members are developing those processes as well as standard operating procedures to go around them. Those policies have been embedded in our security architecture as well as promoted into our risk-management process,” Null says.
To address the configuration management issue, the TSA implemented a configuration change board and strong governance structure as well as assigned an information system security officer to every program. Every configuration change must be reviewed and approved by these officers and by Patricia Titus, the TSA’s chief information security officer. In addition, the TSA has strengthened its implementation of the 2002 Federal Information Security Management Act, Null says.
Included in the inspector general’s report was a point about audit trails. It noted that the TSA does not ensure that audit trails on all network devices are regularly reviewed and maintained to guarantee that only authorized activity occurs on the network. Developing audit trails is challenging to many organizations, Null admits. “It can be so pervasive that it’s overwhelming, both from a cost standpoint as well as a traffic standpoint. What we’ve really tried to do is identify where our critical assets are; we’ve got a critical asset team that’s identifying the high-risk, high-priority areas that we will go after first,” he says.
Improvements also have been made in the area of testing. Titus reveals that the DHS has automated much of the certification and accreditation process. “That’s fairly new for the federal government. We’re using the Trusted Agent program and a risk management tool. That’s really added to automating our risk management process, and I think that’s fairly cutting edge,” she says.
Null points out that the problems with securing networks can be attributed to a number of issues, including technology, training and manpower. Nearly all agencies face challenges in these areas; however, those challenges are exacerbated by the fact that the TSA is relatively new. It was formed in November 2001 and moved into the DHS in March 2003.
“One of the big challenges we have is that we’re still a very new organization. We’re always resource and budget challenged, so it really is a combination of where you are in the maturity curve of implementing these capabilities and getting general acceptance and understanding by the whole population of TSA. All of those people out there can create problems for us. Having the tools and understanding of the policies so that we don’t create our own problems is very important. And that again, in many ways, is a maturity issue,” he says.
The organization has been moving quickly to add new capabilities in terms of applications and data sources. Because of this momentum, ensuring that the TSA has adequate resources to adopt new capabilities correctly upfront so it does not have to go back and fix problems is a concern, Null says. “So, just trying to keep the cats herded is a real challenge,” he notes.
Some of the security tools that have come on the market, such as those that address denial of service and wireless security, have helped the TSA secure its network; however, they also can create new problems that must be resolved. Titus says integrating these tools together is difficult and notes that offering products that meet standards as a baseline would be helpful.
In addition, she points out that development of a better encryption scheme or algorithm that can ride on the MPLS cloud would be useful. “MPLS offers you that any-to-any connectivity, but you have to throw information technology security on top of it, which encumbers the capability of that any-to-any communication. Finding better ways to implement encryption schemes across that [MPLS cloud] would be fabulous,” she says.
The National Cyber Security Division is reaching out to the vendor community to ensure it is building better software programs and fixing problems before software is released, and this certainly helps government agencies, Titus adds.
Although software without any bugs is a laudable goal, patch management continues to be a problem for many agencies as well as corporations. Until it approved its own policy in this area, the TSA relied on patch management procedures developed by the contractor responsible for its network management to address patch implementation, the inspector general report points out. The TSA has since approved a patch management policy of its own. Titus notes, however, that testing is still a concern that needs to be resolved.
The TSA’s youth as an agency works in its favor in this area. Primarily, patch management is more difficult for organizations that have legacy systems. While the TSA does not have mainframes, it still must find a solution that will patch at all levels. And, before a patch can be installed, it must be tested—and in most cases tested and applied quickly. A fully operational redundant network is required for testing. “The time to exploit after a vulnerability has been identified is shortening, so it’s becoming more of a challenge. So periodically you actually have to deploy a patch without doing the types of testing you’d like to do so that you can get yourself patched before it actually hits. It’s a challenge, so what’s the solution? The product vendors getting together and putting together integrated solutions that will provide benefits to government and that will cross multiple platforms,” Titus says.
In addition to information security, the TSA has another priority: information sharing. The agency recognizes that one of the most important products it offers is information, Null notes. Among the organizations it shares data with are airports, government agencies, owner-operators, and state and local law enforcement agencies. Understanding how to develop a data fusion capability, to reach out to other communities to share data and to create an information exchange is critical to the TSA’s future, he states.
The TSA determined that the new architecture it wants to implement is an information-sharing environment that utilizes a service bus or enterprise bus in a service-oriented architecture. This would give the administration the ability to set interoperability standards and at the same time put wrappers around its legacy technology to provide interoperability for legacy as well. “The good thing is that we then have a bus architecture that gives us a good vehicle for our security management,” Null offers.
Like all government agencies, the TSA will face a number of issues in the years to come. In addition to sharing information, Null points out, shared services will be a future topic as will maintaining cost controls. Providing an architecture that facilitates interoperability, that features a standard interface and that supports the publish-subscribe paradigm for data sharing will increase opportunities in data sharing and application building, he says.
“We clearly understand the criticality of the security of our networks, the robustness of networks. It is inherent in what we do as an agency and what we provide to the traveling public in terms of information and security levels. We can’t do all security. We are very dependent upon our state and local partners and private sector partners, and we have to bring them in as a part of the process. In order to make that happen—to provide the levels of security—we absolutely need the interchange capabilities, but we need [interchange] at a robustness and security level far beyond what we have today,” Null states.
Inspector General Report: www.dhs.gov/interweb/assetlibrary/OIGr_05-31_Aug05.pdf
Transportation Security Administration: www.tsa.gov