Peace Corps IG less than impressed with agency cybersecurity practices

The Peace Corps must improve its system when it comes to cybersecurity, planning and implementation in order to run smoothly in the next fiscal year, the agency’s inspector general said.

In the agency’s annual report dissecting fiscal 2017, Peace Corps IG Kathy A. Buller listed recommendations for how the agency could improve its effectiveness and manage resources, while minimizing the risk of potential threats and abuse within the agency.

Buller said many recommendations have been open-ended since 2004 and it is about time they are addressed head on.

“Basically, the problem that we find is that the Peace Corps can do [the] little things, but they don’t have any overarching security program,” Buller said on Federal Drive with Tom Temin. “That’s why [effective cybersecurity] continues to be missing.”

The Peace Corps alone houses a large quantity of data on its volunteers including basic information such as addresses and dates of birth to more confidential data such as sexual assault history and medical records. It is imperative that the information for those serving abroad is kept protected, she said.

“I think part of the problem is when you’re functioning in countries that have limited bandwidth, and things of that nature, I think it causes some issues,” Buller said. “But generally, it’s more of a software protecting systems issue.”

The Peace Corps is currently working toward utilizing the cloud after an earlier project in collaboration with the General Services Administration went awry and showcased the agency’s earlier lack of planning.

Another lack of planning issue came in the Kosovo office, according to Buller. The office didn’t function properly due to the Peace Corps’ inability to provide the training for new staff and volunteers in enough time to run the post smoothly.

Training is of course important, but so too is the planning. Unfortunately, it can take months or even years for a contract to be drawn between another country and the Peace Corps. Buller said because each country has different rules and customs, new training techniques must be developed that are individually tailored to the culture and rules of each country.

“Sometimes it takes a long time, sometimes it doesn’t take so long because we’ve been there before,” she said. “They don’t track training and things like that very well. It’s part of their human resource problem.”

Both proper training and the development of prevention tactics could potentially help cut down the percentage of sexual assaults and other attacks on volunteers.

The Peace Corps begins developing techniques and plans to protect their volunteers when they do their initial site development. Integration has always been one of the Peace Corps’ security models, according to Buller.

“They feel better that if a volunteer integrates adequately into the community, the community will protect them,” Buller said. “That’s worked pretty well.”

High turnover is also evident in the Peace Corps due to five-year term limits for certain employees. A 2012 evaluation by the IG office showed the turnover rate between 24 percent to 38 percent, four times the normal turnover rate for an agency.

Buller said some of the positions should be exempt from this statute.

The fiscal 2017 IG report outlined several challenges that the Peace Corps must address for the new fiscal year including these areas:

  • Information Technology Security Management
  • Planning and Implementation
  • Human Capital Management
  • Compliance
  • Volunteer Health and Safety

Buller said a lot of the misdirection could also simply come from the lack of appointed leadership.

“Sometimes it takes a little bit of time to get there, but things have matured somewhat since I’ve gotten there,” Buller said. “So I think that its moving forward.”

Sheila Crowley became the Peace Corps’ acting CEO on Nov. 17.

To read the full IG report and recommendations, click here.

Copyright © 2019 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.