USPS refutes OIG report on ‘ineffective’ cybersecurity
The Postal Service attempted Monday to repudiate accusations that its cybersecurity practices are not up to par.
The statement came in response to a report released Friday by the agency’s Office of the Inspector General that painted an unflattering picture of USPS’ precautionary measures prior to the November 2014 cyber intrusion that exposed the personal information of 800,000 current and former employees. Among its findings was that Postal Service leadership “had not emphasized cybersecurity, as evidenced by its undertrained employees, lack of accountability for risk acceptance decisions, ineffective collaboration among cybersecurity teams, and continued operation of unsupported systems.”
Monday’s USPS response, posted on the agency’s website, described the findings as out-of-date.
“While the Postal Service appreciates the intent and role of the USPS OIG in developing its recent audit on cyber security issues, the findings do not reflect the current state of the organization’s capabilities,” the statement read.
The statement also referenced an appendix to the report in which USPS acting Chief Information Security Officer Greg Crabb — who took the job after predecessor Chuck McGann resigned in the wake of the 2014 cyber intrusions — and acting Chief Information Officer Randy Miskanic respond directly to the OIG findings with an extensive collection of case studies they said discredit the audit.
“The management processes, staffing, computing environment protections, training and awareness and other controls have been substantially upgraded based upon the learnings from the 2014 cyber intrusion,” the letter read. “As such … we would encourage the USPS OIG to incorporate the substantial changes in processes and the significant number of activities undertaken in response to the 2014 cyber intrusion.”
The letter went on to outline a “multiple phase cybersecurity improvement strategy” that the Postal Service has initiated over past months to fix the lax cybersecurity culture that led to the breach. The plan, which Crabb and Miskanic describe over seven pages complete with infographics, has four steps: remediation, capability assessments and implementation, reference security architecture, and a final phase for which “planning … will begin in Quarter II of FY2016.”
Although the OIG report acknowledged that USPS had taken measures to improve its stance, its executive summary rebuked the service for failing to be proactive in cybersecurity prior to the breach and claimed that it needed to do more. The “highlights” section of the audit said in no uncertain terms that “sufficient personnel resources were not devoted to cybersecurity functions.” The audit recommended additional steps to the USPS four-phase plan, including “a strategy to embed a strong cybersecurity culture into daily operations and adequately staff and resource cybersecurity operations.”
The 41-page audit outlined a number of specific suggestions, which Crabb and Miskanic addressed in their response. Of the six recommendations, the letter states that “management agrees with the intent” of five, while it will “conduct a study to evaluate” the merits of a sixth.
“We agree with the broad intent of most of the recommendations in the audit and believe that the nature of the threats we face require more flexible and active management processes and modes of response than those identified by the OIG — many of which have already been or are in the process of being implemented,” it read.
In light of the recent OPM hack that compromised the data of 22 million citizens, the audit said organizations cannot be too cautious in bolstering their cybersecurity practices.
“To have effective cybersecurity, organizations need to incorporate multiple layers of prevention, detection, and response while maintaining resilient systems that enable the organization to operate while under attack and rapidly recover essential functions,” it said.