Sunday, August 12, 2007

DHS - PCs = No Plan

On Saturday, the DHS computer network at LAX shut down, preventing incoming international passengers, and some passengers from Alaska, from being processed. Peter Gordon, acting port director for customs, said the shutdown, the latest in a series of incidents to affect the DNS system, was unprecedented:

"I've been with the agency for 30 years and I've never seen the system go down and stay down for as long as it did."

During the 10 hour-long outage, which lasted from 2pm until midnight and affected more than 20,000 passengers, air conditioning and water was in short supply, leading to a situation where dehydration was observed among some passengers by two LA Times reporters:

"Water fountains were not accessible due to renovations in the terminal, and the only air conditioning was provided by three industrial fans with limited range."

Ultimately, three people had to be hospitalized. The last passengers were processed at around 3.50am on Sunday - almost 14 hours after the shutdown started.

This is the latest in a series of incidents involving INS or DHS computer systems. I experienced one such incident myself, first-hand, at JFK about a year ago. I was at the front of the line at JFK when the computers went down for about an hour and a half.

Being at the front of the line, I observed uniformed INS staff repeatedly tried to log in to the DHS network. I asked the officer manning the booth in front of me if there was a back-up plan "if the computers don't come back on line".

"Not that I'm aware of", he said. "You just have to be patient".

The computer system that shut down yesterday provides officials with details on who they need to detain for secondary screening, which is without doubt a worthy goal in this day and age. But the lack of a backup plan reveals a critical lack of "defense in depth" thinking - and planning.

The incident at LAX should have created an ideal situation to test the DHS (non-computerized) back-up plan. The fact that no back-up plan appears to exist - none was executed inside ten hours of downtime - indicates a lack of planning that few private companies would allow.

It isn't as if the DHS doesn't have the resources. The Department of Homeland Security has a $30 billion annual budget.

What would happen in the event of a terrorist attack on an airport? What is the plan if the entire US network were to go dark? Are incoming passengers to be carted off to a hanger somewhere? Is there even a plan in existence with that amount of detail?

On July 30th, Bennie G. Thompson, D-Miss., and Chairman of the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology Chairman James R. Langevin, D-R.I., both signed off on a letter to DHS CIO Scott Charbo, asking him some hard questions. about the 844 security breaches the DHS has experienced over the past two years.

They have given Mr. Chabo until August 27th to respond. Post this incident, I expect his response will draw a significantly greater audience of reporters that it would have previously.

No comments: