EXCLUSIVE: Hundreds of contractors holding important information security jobs at the U.S. Environmental Protection Agency have for years been working as high-level operators of its computer systems without the appropriate security background checks — a situation the agency is still scrambling to correct.
During all that time, the agency apparently did not even have a complete list of all the “high-risk” positions where detailed background investigations of outside contractors were required.
In other instances, the agency had assigned lower levels of background scrutiny to the positions than the importance of the positions — and their information access — deserved, according to preliminary investigations carried out by the EPA’s Office of Inspector General (OIG).
Moreover, despite much-touted efforts to tighten up cybersecurity by the Obama administration, the situation was still bad when Obama left office. An internal EPA tally in February 2017 showed that nearly 70 percent of 484 contractors carrying a special, embedded-chip card allowing “elevated access” to EPA computer systems for their work still had not gotten their higher-level background checks.
For their part, the EPA’s auditors noted that in their initial small sampling, five of nine contractor personnel were given sensitive access to EPA computer systems without strict background checks, even though they had worked for the EPA “for over five years.”
The gaping holes in EPA’s information security defenses were severe enough that the agency’s OIG investigators, who began an audit of the contractor background checks last March, stopped work and issued a rare “management alert” to the Trump administration’s EPA officials about the situation, which was released to the public at the end of September.
(EPA officials were, in fact, briefed about the situation in late August.)
“Contractor personnel with potentially questionable backgrounds are accessing sensitive agency data and could cause harm,” the alert concluded. “These initial investigations and timely reviews serve as a cornerstone for the EPA to verify whether contractor personnel are trustworthy.”
The OIG document did not say so, but contractor positions have been exploited by some of the most damaging intruders in U.S. computer systems. One of them was Edward Snowden, who in 2013 stole and leaked information on some of the most sensitive global surveillance programs carried out by the National Security Agency. Snowden remains at large in Russia.
Along with the lack of appropriate background checks, the OIG alert noted:
· “a lack of oversight by responsible offices” within EPA to confirm that background investigations were initiated and eventually completed when contractors got the supposedly temporary right to special access cards,
· conflicting totals among various EPA offices about how many working contractors would require high-level background checks,
· a “breakdown in communication” among various EPA computer system managers and oversight personnel over verification of the checks,
· a refusal on the part of one EPA bureau to provide a listing of personnel who did not even have the special computer access cards but nonetheless still had privileged access to EPA computers. (EPA gave the number of such un-carded accounts to Fox News in response to a query: 58. Of those, the agency said, 27 were disabled and 31 in active use.)
Such alerts “say that this is something the agency should respond to right away,” says Jennifer Kaplan, the agency’s deputy assistant inspector general for congressional and public affairs, told Fox News.
The same point was underlined in the alert itself, which noted that “many of these underlying issues could have been uncovered had EPA management conducted oversight and a timely review of these processes.”
“This is definitely disturbing,” observes Theresa Payton, one of the country’s leading cybersecurity experts and the first female chief information officer at the White House during the Bush administration. “If you are giving network access to someone, it’s a no-brainer to give them a thorough background check.”
“There has never been more reason to target us than now, on the part of North Korea, China and Russia. And there has never been more delicate and fragile trust in our government than right now.”
“This is definitely disturbing.”
The lack of background investigations and consequent security risks were known — at least in large detail — to top EPA officials of the Obama administration as far back as August, 2015. That was two months after the White House Office of Personnel Management announced that it had been hit by the biggest hack of federal government personal information in history, eventually affecting an estimated 21.5 million federal employees, with much of the information extracted from outside contractors.
The August 2015 milestone marked the end of the Obama administration’s much-touted “30-Day Cybersecurity Sprint,” an effort to get a grip on cybersecurity lapses across the federal government in the wake of the massive information threat.
The “sprint” supposedly included a drastic upgrade to the safeguards around all such “privileged” or high-access users through the use of embedded-chip user ID cards that supposedly guaranteed they had appropriate clearances for their degree of access to EPA networks
Yet at EPA, at least the vaunted new levels of security alert were apparently something of a mirage, at least where outside contractors were concerned.
By the end of 2016, by EPA’s own estimate, half of the agency’s “privileged users” of sensitive computer systems still did not have the appropriate background investigations needed for the ID cards they were using. The strict-scrutiny background checks had simply been “temporarily” waived.
Two months later, when EPA learned that nearly 70 percent of contractors still were without appropriate background checks, the situation clearly was not much better.
The auditor’s main recommendation was fairly stark: get the controls in place to get the background checks done, and effective oversight established, before the inspectors come back to complete their detailed review.
According to EPA, it is doing just that. An EPA spokesperson told Fox News that “93 percent” of all current privileged access card holders have gotten “the appropriate level of investigation.”
Since, according to the spokesperson, EPA now has 628 privileged card-holders, that means 44 people still haven’t gotten the appropriate background check.
In veiled language, the spokesperson indicated that these personnel were, in effect, grandfathered into the system, as holding cards prior to August 15, 2015, when the strict regime of background checks was installed but essentially never implemented.
Moreover, all the security check issues of oversight and other matters have now been closed, the spokesman declared. “EPA has processes in place to ensure that investigations get initiated before a [privileged user card] is issued.”
Maybe so, but according to OIG’s Kaplan, the EPA still hasn’t provided its watchdogs with a statement “on how it will proceed with the recommendations,” meaning its exact plans.