The Agriculture Department’s security systems have gotten better at detecting potential misuse of agency networks—such as downloading illegal content or visiting pornographic websites. But fractured policies at the department and component agency level mean there is little accountability for offending users, according to the inspector general.
In a new report, the IG notes cybersecurity has been a perennial problem for Agriculture—as is the case for many federal agencies. The IG has previously cited the agency’s “major vulnerabilities” and “identified IT security as a major management challenge for more than 10 years.”
More specifically, the IG’s Office of Investigations has been tracking misuse of agency networks since at least 2016.
In fiscal 2017, “USDA OIG had received 81 referrals from the Agriculture Security Operations Center related to potential improper usage activity,” the report states, leading to a management alert memo sent to the Office of the Chief Information Officer in September 2017 warning that “USDA’s IT internal controls do not appear to be effectively blocking access to prohibited websites.”
But the agency’s program for dealing with potential misuse of networks is staggered across multiple offices, without a clear chain for elevating serious issues.
Several agency policies outline what constitutes “improper use” of USDA networks, including:
- Loading peer-to-peer software.
- Downloading illegal material.
- Downloading copyrighted material for personal use.
- Distributing illegally obtained files and software.
- Using internet resources for activities that are inappropriate or offensive to fellow employees or the public, such as sexually explicit materials or hate speech.
- Other purposes not specifically authorized by law or agency regulations.
The improper usage program starts with OCIO, which is charged with deploying a network monitoring system to track all traffic, including employees, contractors, subcontractors, grantees and others working on agency networks.
“OCIO establishes procedures for monitoring, measuring, reporting, and enforcing compliance with applicable guidance, and oversees agency and staff office compliance with USDA telecommunications policies and procedures,” the report states.
That work is managed by the ASOC, which sits within OCIO.
Once an incident is discovered, department policy requires the offending user be reported to human resources. However, the IG discovered 78% of confirmed incidents—28 out of 36—were not referred to HR. While some of those incidents were referred to the user’s supervisor, 68%—19 of the 28 not referred to HR—were not subject to any kind of disciplinary action.
“This occurred because neither USDA nor its agencies have sufficient improper usage policies in place to direct agency personnel on how or when to involve HR and supervisors in the remediation process,” the IG wrote.
The report lists several policy gaps at the department and component agency level, including:
- Do not define all types of improper use.
- Do not require a referral to HR or supervisors.
- Do not provide guidance on how to address improper use by contractors and non-government personnel.
- Do not provide guidance on tracking improper usage incidents for employees, contractors and non-government personnel.
Of the eight incidents reported to HR, “three resulted in disciplinary action; three had no further action taken; and, as of October 29, 2018, the remaining two have unresolved HR investigations in progress,” according to the report.
While not all incidents result in significant harm to department networks, the IG said supervisors and agency HR offices “should still be notified in order for them to properly track incidents.”
“Without fully monitoring IT improper use, habitual offenders and other users might improperly use USDA IT resources—including its network and equipment—waste USDA resources and expose USDA networks to increased risk of malware and other internet-based threats,” the report states
Ultimately, the IG made six recommendations. Agriculture officials concurred with the IG’s suggestions and offered timelines for remediating the issues. The IG, in turn, approved of management’s decisions.