Internal reports show CISA rated low on information security, slammed for physical election security and intel sharing.
In the weeks just before President Trump fired its leader, the federal Cybersecurity and Infrastructure Security Agency (CISA) was repeatedly flagged by the Homeland Security Department's watchdog for poor performance, including inadequate physical security planning for election sites, poor intelligence sharing with its private and public partners and weak information security for its own systems, internal reports show.
The repeated Inspector General's warnings in September and October about CISA -- under then-Director Chris Krebs' leadership -- provide a stark contrast to Democrats' and the news media's portrayal of Krebs as a skilled leader whose firing jeopardized national security.
The internal memos, reviewed by Just the News, also provide some fodder to understand how the U.S. government could have failed to detect for nine months one of the largest cyberattacks in history, which was finally revealed earlier this month. CISA is primarily responsible for quarterbacking cybersecurity at civilian federal agencies.
"Risks to the Nation's systems and networks continue to increase as security threats evolve and become more sophisticated. As such, the cyber threat information DHS provides to Federal agencies and private sector entities must be actionable to help better manage this growing threat," the inspector general warned in one report earlier this fall. "Until CISA improves the quality of its information sharing, AIS participants remain restricted in their ability to safeguard their systems and the data they process from attack, loss, or compromise."
The inspector general faulted CISA for failing to have adequate staff, resources and policies in place to complete its mission, even going as far as to suggest it was weaker in cybersecurity than some of its fellow Homeland agencies.
For instance, on Sept. 30, the Inspector General's office reported that of three major Homeland Security offices audited, CISA had the lowest scores by far for information security, a remarkable irony given the agency's cybersecurity mission. CISA earned the lowest rating of 1 in four of the six categories studied. In contrast, fellow agencies Immigration and Customs Enforcement (ICE) and Customs and Border Patrol (CPB) achieved a score of 4 or 5 in all but two of the categories.
"CISA's overall information security program was not effective," the inspector general reported, scolding the agency for having "not yet developed component specific policies, procedures, and business processes as required by DHS policy."
File OIG-20-77-Sep20.pdf
Comment: See also: