Agriculture Department chief information security officer Chris Lowe is shutting the door on more than 400 social media sites after repeated instances of employees and contractors watching pornography on agency computers.
Lowe sent a memo to staff detailing the sites to be blocked, which include popular sites such as Facebook, Snapchat and What’sApp as well as dozens of incomprehensible URLs.
Insight by Carahsoft: Learn how the FedRAMP PMO and its partners believe the end result of many of ongoing initiatives is a better, faster and cheaper cloud security program by downloading this exclusive ebook.
“In response to a Management Alert Memo from the Office of the Inspector General (OIG) regarding the “Misuse of the U.S. Department of Agriculture’s Information Technology Networks”, the Office of the Chief Information Officer (OCIO) will be implementing a block on social media websites not related to official Department communications or business on March 7th, 2018,” Lowe said in the Feb. 23 email message to staff obtained by Federal News Radio. “The websites that are included in this block are attached to this message and should be reviewed to ensure official USDA business and communications is not impacted. We have worked with the Office of Communications to ensure this list does not conflict with official USDA channels of communication, however, we ask that you review to check for impact to your mission areas and agencies.”
This might be one of Lowe’s last acts as CISO. Multiple sources confirm Lowe will be reassigned to another position in the department, making him the third high-ranking USDA technology executive to be moved out of his position over the last seven months.
Multiple LinkedIn messages and an email to Lowe seeking comment were not returned.
Multiple emails to USDA press asking for confirmation on changes to Lowe’s job were not answered.
Sources say Lowe, who has been USDA CIO since 2012, will be a cyber security officer for the new bureau of Research, Education and Economics (REE).
Additionally, sources say Tacy Summersett, the deputy CISO, will be the acting CISO.
Lowe’s reassignment along with those of former USDA CIO Jonathan Alboum and deputy CIO Doug Nash would mean a total house cleaning of the agency’s top IT officials. Alboum spent six months as USDA’s deputy senior procurement executive before leaving for the private sector firm, Vertias. Nash moved to the Agriculture Marketing Service as its CIO,
USDA named Gary Washington as its permanent CIO in February.
In addition to Lowe, sources say Ray Coleman, who was chosen to lead the National IT Center earlier this year, is leaving for new job in the Defense Department. Details about what Coleman will be doing or where in the DoD he landed are unclear. A LinkedIn email to Coleman was not returned.
Sources say Victoria Turley will be the acting head of NITC after Coleman leaves.
So as USDA’s leadership shuffles the CIO’s office it has to deal with what seems to be a growing problem of inappropriate website usage.
Sources say there is no connection between this management alert and the response, and Lowe’s reassignment.
USDA’s inspector general issued a management report on Sept. 29 saying the Agriculture Security Operations Center (ASOC), which Lowe set up, has seen a “significant increase in the number of referrals of potentially unlawful and/or inappropriate network traffic (i.e. employee misconduct). The majority of referrals involve some type of pornography (i.e. USDA employee or contracting viewing and/or sharing unlawful or otherwise inappropriate pornographic content using their government-issued computers or other communications devices.”
An OIG spokesman confirmed Lowe’s memo from Feb. 23 is fulfilling the September management alert.
The spokesman said the OIG sees the rationale for listing the sites and that the agency is open to discussing any potential changes if needed for official activities.
“USDA continues to actively work to ensure appropriate usage of government resources as part of meeting Secretary Perdue’s commitment to making USDA the most efficient, most effective, best managed department in the federal government,” a USDA spokesman said in an email to Federal News Radio.
The IG says since 2015, the security operations center referred 225 cases of inappropriate usage to its office.
Concerns about USDA employees visiting pornography websites garnered the attention of Congress, which included a provision in the fiscal 2017 Consolidated Appropriations Act saying the agency had to block the ability of employees to view, download or exchange pornography in order to spend any funding on the IT infrastructure.
“We note that in October 2016, USDA installed the Department of Homeland Security’s EINSTEIN 3A software,” the OIG wrote in the alert. “The software has in-line network-based cyber security monitoring tools to protect USDA’s data and systems. It does not appear, however, to be effectively blocking access to these prohibited websites. Since October 2016, USDA OIG has received 81 referrals from the ASOC of potentially improper usage.”
It’s unclear from the memo why it took USDA five months to block these sites. As one federal security professional told me, why not just block them and don’t tell anyone about it? The expert said it seems odd to send out a memo alerting staff of the changes.
Unfortunately, USDA is not the first, nor will be the last agency, to find its employees looking at pornography during the work day or on federal equipment.
For each of the last three sessions of Congress, Rep. Mark Meadows (R-N.C.) introduced a bill to require OMB to issue guidelines that prohibit accessing a pornographic or other explicit website from a federal computer, except for investigative purposes. The current bill has moved out of committee.
USDA has been struggling with its cyber posture for some time.
The IG found in its 2017 Federal Information Security Management Report to Congress that cybersecurity remains a material weakness at USDA.
“[W]e found that the department’s maturity level for the five function areas (identify, protect, detect, respond and recover) to be at Level 2, “Defined.” Based on these criteria, the department’s overall score would indicate an ineffective cybersecurity program,” the IG stated in the report. “The department needs to implement its controls and determine that they are operating as intended and are producing the desired outcome.