A report on the security of TSA operational IT and communications systems released last month by the DHS Office of the Inspector General (OIG) is prefaced with a scathing critique of the redactions demanded by the TSA in the censored public version of the report.
The OIG report found a pervasive lack of basic security measures and consciousness at TSA airport facilities: doors propped open or with locks taped off, unmonitored entrances, lack of logs of physical access to communication nodes and servers, lack of redundancy, etc.
But the TSA tried to keep the OIG from reporting on even those problems that at already been publicly reported, after TSA review and permission, in earlier OIG reports or other pages of the same report. The real point of the TSA’s censorship is not security but avoidance of public and Congressional debate and oversight.
Here’s what the DHS’s own internal auditor reported:
I must lodge an objection regarding the way that TSA has handled information in the report it considered Sensitive Security Information (SSI). Specifically, we issued the draft report, Summary Report on Audits of Security Controls for TSA Information Technology Systems at Airports, to the Department on September 16, 2016.
[W]e asked for agency comments, including a sensitivity review, within 30 days of receipt of the draft. On October 7, 2016, the Chief of the SSI Program provided the results of its sensitivity review, marking as SSI various passages in the report. The redactions are unjustifiable and redact information that had been publicly disclosed in previous Office of Inspector General (OIG) reports. I am challenging TSA’s proposed redactions to our summary report….
I can only conclude that TSA is abusing its stewardship of the SSI program. None of these redactions will make us safer and simply highlight the inconsistent and arbitrary nature of decisions that TSA makes regarding SSI information. This episode is more evidence that TSA cannot be trusted to administer the program in a reasonable manner.
This problem is well-documented. In addition to my previous objection to the handling of one of our reports, the House Committee on Oversight and Government Reform in 2014 issued a bipartisan staff report finding that TSA had engaged in a pattern of improperly designating certain information as SSI in order to avoid its public release because of agency embarrassment and hostility to Congressional oversight.
As recently as a hearing held this summer, Chairman Katko of the Committee on Homeland Security, Subcommittee on Transportation Security, stated that the improper invocation of SSI “raised the specter that we’ve heard again and again about TSA conveniently using the security classifications to avoid having public discussions about certain things that may be unpleasant for them to discuss in public.”
In response to a request from House Homeland Security Committee Chairman McCaul, Transportation Security Subcommittee Chairman Katko, and Oversight and Management Efficiency Subcommittee Chairman Perry, the OIG has initiated a review of TSA’s management and use of the SSI designation. We expect to issue our final report in the summer of 2017.
Inconsistently and inappropriately marking information in our reports as SSI impedes our ability to issue reports to the public that are transparent without unduly restricting information, which is key to accomplishing our mission and required under the Inspector General Act . In order to meet our timeliness requirements, we are publishing this report with the redactions as requested. However, this letter serves as our formal direct appeal to the Administrator of TSA to remove the above-listed redactions….