The Transportation Security Administration (TSA) sucks at providing airport security. But the agency isn’t a one trick pony. Demonstrating its commitment to excellence — at sucking — the TSA is working hard to make its computer security just as good as its airport security:
The report centers on the the way TSA (mis)handles security around the data management system which connects airport screening equipment to centralized servers. It’s called the Security Technology Integrated Program (STIP), and TSA has been screwing it up security-wise since at least 2012.
In essence, TSA employees haven’t been implementing STIP properly — that is, when they’ve been implementing it at all.
STIP manages data from devices we see while going through security lines at airports, namely explosive detection systems, x-ray and imaging machines, and credential authentication.
In addition to unpatched software and a lack of physical security that allowed non-TSA airport employees access to IT systems, the auditors found overheated server rooms and computers using unsupported systems — and much more.
The observed “lack of an established disaster recovery capability” noted by the OIG is particularly scary. If a data center was taken out by natural disaster, passenger screening and baggage info would be rendered inaccessible.
Not only that, but there was no security incident report process in place, and there was “little employee oversight in maintaining IT systems.” And, auditors were not pleased at all that non-TSA IT contractors maintained full admin control over STIP servers at airports.
At what point do we write the TSA off as a failed experiment? I know, it’s a government agency, it’ll never go away. But the fact that the TSA continues to fail at everything and is allowed to continue existing really demonstrates why the market is superior to the State. Were the TSA forced to compete in a market environment it would have been bankrupted and its assets would have been sold to entrepreneurs who might be able to put them to use.
It’s time to ask the million dollar question. What will happen now? One of the reason government agencies fail to improve their practices is because there’s no motivation to do so. A government agency can’t go bankrupt and very rarely do failures lead to disciplinary action. In the very few cases where disciplinary action does happen it’s usually something trivial such as asking the current head of the agency to retire will full benefits.
Meanwhile air travelers will still be required to submit to the TSA, which not only means going through security theater but now potentially means having their personal information, such as images from the slave scanners, leaked to unauthorized parties.