When a federal department says its digital systems are under constant attack and the government comes up with more than $60 million to fix the problem, taxpayers expect to see a lot of progress. But the Agriculture Department's internal watchdog says the progress wasn't nearly good enough because programs were managed ineffectively and often failed to focus on the most critical areas of cybersecurity.
USDA's Office of the Chief Information Officer, or OCIO, was given $66 million in additional funding in 2010 and 2011 to improve computer and network security. It's spent $63.4 million -- but the report said the money didn't always go to the projects the OCIO outlined when Congress was asked for the money.
"We found that some of OCIO’s projects did not meet the purposes outlined in the Congressional request for funding or were not targeted to improve the most critical IT security risks," said Agriculture's inspector general.
For those flaws, the Agriculture Department's Office of the Chief Information Officer wins this week's Golden Hammer, a weekly distinction awarded by the Washington Guardian to a prominent example of government waste.
The report was critical of the management of the 16 projects OCIO started with the funding. It says the office started all 16 at once, and assumed funding would continue into the future -- so when funding was reduced, projects had to be severely scaled back and their time lines stretched out.
The IG report acknowledged "some progress" in improving USDA's digital security, but it said the funding should have yielded further improvements.
The report lists $6.7 million in expenditures that were not in the original request to Congress. Among them was a $2 million intern program, which was designed to build up a qualified work force, but actually netted the office one fulltime employee.
At the same time, the office didn't have nearly enough people to assess all of the security information it was gathering. It assigned only two people to sort through "13.3 terabytes of security alert data per day," the report said.
How much is that? About 20 times the amount of data a normal laptop computer can store.
The report said about 10 security incidents a week got reviewed. While the actual number of serious security incidents per week is unknown, the office, when it requested the funding, told Congress "USDA networks were under constant attack and were targeted by an abundance of malicious activity," the report said.
And the OCIO management of some programs was so lax that $235,000 was spent on a project that ended up being canceled because it was a duplicate of another project, the report said.
Repeated calls to the Department of Agriculture requesting comment were not returned.
The concern over Agriculture's digital security started in 2009, when the only way the department could find out about threats to its systems was when it was told about the attacks by the Department of Homeland Security or other law enforcement agencies.
The department has used the funding to make progress, the report said. It created the Agriculture Security Operations Center, which responded to three times as many incidents in fiscal year 2011 as it did in 2010.
OCIO has formally agreed with the report's recommendations to improve its management of the projects, and the inspector general has asked it for a list of specific actions it plans to take and when they will be completed.