Homeland Security IG Protests Redactions in Report on Airport Security Lapses

The independent watchdog at the Homeland Security Department has blasted the Transportation Security Administration for redacting key passages of a new report on security lapses at New York’s JFK airport.

Inspector General John Roth also criticized procedural delays by since-departed TSA Administrator John Pistole in responding to a draft of the report and in deciding whether portions the IG wanted made public must instead remain classified as “sensitive security information.”

The report dated Jan. 16 evaluates information technology security at the nation’s sixth busiest airport and its leading international air cargo center. It concluded that TSA “did not comply fully with DHS operational, technical and management policies for its servers and switches operating at JFK. Specifically, physical security and access controls for numerous TSA server rooms and communication closets were deficient.”

TSA failed to provide visitor logs in its communication rooms to document entry and exit to areas containing sensitive equipment, the audit found, and it had not installed proper temperature controls for the rooms housing servers and switches.

But Roth reserved his harsher complaints for the policy clash over what he called an “abuse” of sensitive security information that prevented his release of the entire report. “Over-classification is the enemy of good government,” he said in a Friday press release. “SSI markings should be used only to protect transportation security, rather than, as I fear occurred here, to allow government program officials to conceal negative information within a report.”

DHS said in a statement to Government Executive that its many agencies working at JFK airport are fully committed to fixing the problems and that “ensuring the security and integrity of our information technology systems that support our wide-ranging missions to protect the homeland is a high priority for DHS.”

As DHS officials also noted in the report itself,  the department has already begun responding to the IG’s recommendations, “resolving existing system vulnerabilities; securing IT equipment from unauthorized access; and ensuring that environmental controls for the facility are established, documented and implemented to provide needed protection. “

But the department defended its reading of the U.S. code section on sensitive security information, saying it is bound by current operational threat analysis and information from subject-matter experts to determine parts of the report that are security-sensitive. Such determinations, DHS stated, “include full consideration of DHS’ commitments to transparency and the public’s right to know.”

In his introductory letter to the audit, Roth wrote that “the procedural history of this report elicits an unfortunate commentary on the manner in which the department handled this matter and bears review.” He then provided a timeline of TSA’s actions since the IG first presented a draft of the report on July 22, 2014, accusing Pistole and his acting successor of ignoring his letters challenging the redactions, only to end with a response from the head of the SSI office reiterating TSA’s earlier decision.  “I am disappointed in both the substance of the decision as well as its lack of timeliness,” Roth wrote.

Asked to comment on the clash, Scott Amey, general counsel of the nonprofit Project on Government Oversight, said in an email: “I love seeing an IG question an agency about the use of pseudo-classification markings. For years, the openness community has feared that the use of SSI, and more than 100 other controlled unclassified information markings, was abused and just another way to prevent embarrassing information from public release. We need more oversight of such markings. It's about time that someone questions the use of CUI and initiates a public debate about information that is hidden without any formal review or system to challenge such marking.”

(Image via Leonard Zhukovsky / Shutterstock.com)