Mimesis Law
27 May 2020

Cybersecurity Failures Show The DEA Is Just Like OPM

Mar. 4, 2016 (Mimesis Law) — Last year’s embarrassingly large hack of government data held by the Office of Personnel Management (OPM) led to resignations, a lawsuit by the largest Federal Employee’s Union, and the Pentagon announcing plans to outsource cybersecurity.  Christopher Soghoian, the ACLU’s chief technologist, decided to assist the efforts by publicly outing another government agency that’s badly bungling cybersecurity and causing a threat to the public in the process.  That agency is the Drug Enforcement Administration.

Soghoian started with a tweet.

How to disclose a security flaw to the DEA.

1 Find CISO on LinkedIn.
2 Look up consulting company records.
3 Email.
http://files.cloudprivacy.net/dea-disclose-flaw.pdf …

The linked letter is to Bret Stevens, the DEA’s current Chief Information Security Officer, and is extremely polite in tone, given the egregious nature of this gaffe.  The DEA’s online tip form doesn’t protect the private information of those who provide tips.

The DEA operates an online tip­form, through which individuals can report “possible violation of controlled substances laws and regulations. Violations may include the growing, manufacture, distribution or trafficking of controlled substances.”

See: http://www.dea.gov/ops/submit.php

This website does not use HTTPS to protect the transmission of information. It should.

As you no doubt know, OMB has stated that every federal agency must use HTTPS, by default, for its entire public facing website by the end of 2016.

See: https://www.whitehouse.gov/sites/default/files/omb/memoranda/2015/m­15­13.pdf

Per the OMB rule, agencies are supposed to prioritize “Web services that involve an exchange of personally identifiable information (PII), where the content is unambiguously sensitive in nature”. An online form that solicits law­ enforcement tips would seem to fall into this category.

Soghoian is being kind in his tone. It doesn’t “seem to fall into this category.”  The DEA’s tip form absolutely falls into this category when asking for your name, telephone number, email address, the date and location of a suspected drug crime, and what was witnessed. This kind of information is the sort that would allow a violent criminal to walk up to a well-meaning citizen’s door and execute someone’s entire family for simply being a well-meaning citizen.

Tim Cushing, analyzing this mind-boggling screwup at Techdirt, seems to think the DEA’s just not concerned enough to comply with security regulations.

Not only has the Office of Management and Budget stated every agency must use HTTPS on all public-facing websites by the end of 2016, but you’d think a form that collects personal info about members of the public — especially in conjunction with info about possibly armed and violent criminals — would be given an extra layer of security. Apparently, the DEA is not all that concerned about its tips being scooped by criminals, or criminals intercepting unsecured tips in order to target do-gooders.

I’ll take a different tack than Tim. It’s not that the DEA isn’t concerned. It’s that Bret Stevens is either too arrogant, stupid, or lazy to think that criminals won’t exploit this flaw to make sure “snitches” aren’t protected.

Why should he be concerned? He’s got a nice, cushy government job in an office with a pension and benefits.  There’s absolutely no reason for him to do his job until the last possible second.  It wouldn’t be at all surprising if, but for Christopher Soghoian exposing this flaw, Bret Stevens waited until December 31st of this year to make the DEA’s website government compliant. Stevens’ failure to address basic security issues that protect the public in a timely fashion is an insult to the public, and whoever named him as “Chief Information Security Officer” should go sit in a corner and think about what he did whilst wearing a dunce cap for hiring Stevens.

Soghoian politely asked Bret Stevens to adopt better practices and transparency steps in his email as a call to action.

On a more general note, I would also like to encourage you to post publicly contact information for your information security team, so that researchers and other individuals can responsibly disclose flaws such as this issue. This is a best practice followed by some federal agencies, widely adopted by those in the private sector, and promoted as a best practice by the Federal Trade Commission.

It won’t happen.  That’s a point on which Tim Cushing and I agree.

If this email manages to reach Bret Stevens, it will likely be sneered/groused at before being discarded as the imperious communications of a meddling motormouth representing an entity far too concerned about the rights of all Americans, especially the guilty, drug-dealing ones. As for its unsecured tip form, it will likely remain unsecured until the DEA is finally forced into compliance with the OMB’s instructions.

Right now, I can name three sites that use HTTPS security protocols that aren’t the DEA. Those would be Facebook, Twitter, and YouTube.  Each is unapologetic in the way they monitor the average person’s usage habits and tailor content to suit the user’s needs.  They give a damn about what the customer wants, and are unapologetic about they way they do it.

The DEA doesn’t give a damn about you if you report drug crimes through their online tip form, and they’ll stay unapologetic about it until someone or something makes them care. The potential murder of an informant clearly isn’t enough to get them off the dime.

2 Comments on this post.

Leave a Reply



Comments for Fault Lines posts are closed here. You can leave comments for this post at the new site, faultlines.us

  • Jack
    4 March 2016 at 4:57 pm - Reply

    While this is completely absurd and wrong in so many ways, TLS isn’t going to save a neighbor reporting a meth lab or grow op in the house next door if their WiFi isn’t secure. It’s unforgivably bad that the DEA isn’t using TLS for something like this, but it is nothing but window dressing in the scenario you describe. What bothers me more than the form being insecure is the fact that it even exists in the first place…

    Even though TLS will encrypt the body of the request – it still won’t hide the fact that they were on the DEA’s website doing something.

    If I’m Scarface and I’m paranoid enough to be monitoring my neighbors WiFi and phone calls, them just going to the DEA’s website would be enough to put a bullet in their head.

  • Eliot clingman
    7 March 2016 at 12:40 am - Reply

    That is true… Under HTTPS the target host name is not encrypted (TLS is part of HTTPS)