The U.S. department charged with protecting government computers needs to secure its own information systems better, according to an audit released on Tuesday that showed lapses in internal systems used by the Secret Service and Immigration and Customs Enforcement.
The Department of Homeland Security also needs to establish a cyber training program for analysts and investigators, the audit said, with officials from several agencies blaming short-term budget allocations from Congress for their training cuts.
"We identified vulnerabilities on internal websites at ICE and USSS that may allow unauthorized individuals to gain access to sensitive data," according to the report by the Office of the Inspector General for DHS.
The websites are used by ICE and Secret Service agents to report investigation statistics, case tracking and information sharing, it said.
The audit said the 240,000-employee department has made progress in strengthening cyber coordination between agencies and made nine recommendations, which DHS accepted and said it was working to address.
The recommendations come as federal government's cyber security practices are under intense public scrutiny following recent breaches at the Office of Personnel Management, White House, State Department and other agencies.
The report focused on ICE, Secret Service and the National Protection and Programs Directorate, which is charged with protecting government computers and the nation's critical infrastructure from cyber attack. Responsibilities of ICE and the Secret Service include money laundering, financial and commercial fraud, bank and credit card fraud and identity theft.
Officials from ICE, NPPD and the Secret Service told investigators the agencies' ability to conduct proper training programs has been hampered by the stop-gap funding bills Congress has been passing because of its inability to approve yearlong spending in a timely way.
One ICE analyst told investigators he had not attended any formal training in four years, partly because of federal budget cuts known as sequestration, and invested his own time and money for cyber training.
"Without developing the department-wide training program, component personnel may not possess the skills necessary to perform their assigned incident response duties or investigative responsibilities in the event of a cyber attack," the report said.
The inspector general also said the department needs to develop a strategic plan to coordinate cyber activities and would benefit from automated capability for near real-time incident information sharing.