US Homeland Security Employees Locked Out of Computer Networks

Dustin Volz, reporting for Reuters: Some U.S. Department of Homeland Security employees in the Washington area and Philadelphia were unable to access some agency computer networks on Tuesday, according to three sources familiar with the matter. It was not clear how widespread the issue was or how significantly it affected daily functions at DHS, a large government agency whose responsibilities include immigration services, border security and cyber defense. In a statement, a DHS official confirmed a network outage that temporarily affected four U.S. Citizenship and Immigration Services (USCIS) facilities in the Washington area due to an "expired DHS certificate." Reuters first reported the incident earlier Tuesday, which a source familiar with the matter said also affected a USCIS facility in Philadelphia. Employees began experiencing problems logging into networks Tuesday morning due to a problem related to domain controllers, or servers that process authentication requests, which could not validate personal identity verification (PIV) cards used by federal workers and contractors to access certain information systems, according to the source.

Security focused

[Fire_Wraith]

DHS is the primary government agency responsible for protecting the country's civilian infrastructure, including the internet and computer networks. I feel so much better knowing that they're so good at keeping their own systems secure, that even their own workers can't access them.

Re:Security focused

What's so insecure about denying access due to an expired certificate? Isn't that an example of security measures working as expected?

Re:Security focused

[Notabadguy]

Plot twist, the government doesn't manage their own networks anymore, for a while now they've been getting rid of military trained personnel and replacing them with civilian contractors.

Keep in mind that Department of Homeland security != Military; the Department of Defense (military) is a separate department. And many DHS personnel are unskilled, uneducated workers. TSA and all the security theater is part of DHS. This news article is as special as "Exxon gas station cashiers locked out of computer network."

Baggage handlers, X-Ray viewers, clerks, and even janitorial staff proudly introduce themselves in public as "I'm with Homeland Security." It sounds a lot better than "I'm a baggage handler at the airport."

Doing more with less..

[lionchild]

I think I'd like to take this opportunity to point out that this is what happens as we do more and more with IT on less and less staff. While I understand sometimes we think of IT as a cost-center and not a revenue generator, it probably needs to be thought of as more like a utility; because without the lights, water, phones...and internet, you can't do business very effectively these days.

That being said, this happens more and more. Someone is responsible for renewing certificates, but as we renew them for longer and longer periods, that means we simply start to forget about them. Then with the certificate issuer sends out an notification to that IT staffer who used to do that, but was 'right sized' a year and a half ago...no one gets the email. So, the certificate expires and this happens. Same song, different, louder verse, apparently when it happens to DHS, and likely more embarrassing.

Bottom line: Doing more with less, isn't always in everyone's best interest.

Re:Doing more with less..

[TechyImmigrant]

That being said, this happens more and more. Someone is responsible for renewing certificates, but as we renew them for longer and longer periods, that means we simply start to forget about them.

An alternative viewpoint is that this is one of the ludicrously bad failings of PKI. Requiring someone to remember to do an infrequent and short task at a point 1 or 2 years in the future, or the whole system collapses when they forget or leave or get booted. We could fix (I.E. delete and replace) PKI and this specific failure would not happen, so the overworked IT staff can go back to deploying Windows NT patches.