Broadcasting Board of Governors cyber policies not ready for primetime

BBG Watch Media

The Broadcasting Board of Governors’ (BBG) “response to cybersecurity incidents and its newly developed policy and procedures were the subject of a cutting review by auditors at Williams, Adley & Company-DC, as reported by the agency’s inspector general in a new report,” Federal Times reported. Overall, Williams, Adley determined that BBG’s IR&R program was not operating effectively.

Without an effective IR&R program, Broadcasting Board of Governors may be unable to properly identify and respond to unauthorized breaches, identify weaknesses, and restore IT operations timely, which may impede BBG’s ability to achieve its core mission, the Office of Inspector General concluded.

 

“Part of the problem, according to the report, was BBG’s lack of an established policy and procedure for reporting these incidents. However, the IG said this probably wouldn’t have actually helped in these cases.”

 

According to the IG, the BBG guidance — “finalized in May 2015 — does not match the best practices outlined by US-CERT and the National Institute of Standards and Technology.”

 

READ MORE: IG: Broadcasting Board cyber policies not ready for primetime, By Aaron Boyd, Senior Staff Writer, Federal Times, 4:06 p.m. EST, January 20, 2016

 
BBG has experienced recently other serious technological failures which have not been addressed for years despite frequent complaints from Voice of America (VOA) journalists.

In December 2015, BBG’s CIO/CTO and the agency’s former acting CEO André V. Mendes apologized for the repeated failures of the digital storage system used by Voice of America broadcasters to process their video reports.

Also in December, VOA experienced a crippling power failure, affecting many of its broadcasts. BBG’s International Broadcasting Bureau (IBB), which is also responsible for cyber security, was unable to repair the power line break or even to provide emergency power supply for many hours.

André V. Mendes pleaded with Voice of America employees: “please accept my personal apologies for this serious event. It is very distressing and equally humbling.” He was named Interim CEO and Director of the Broadcasting Board of Governors by BBG Chairman Jeff Shell when the former CEO Andy Lack suddenly left the agency after only a few weeks on the job. From December 2009 to January 2014, André Mendes was CIO/CTO, Director, Technology, Services and Innovation, Broadcasting Board of Governors, International Broadcasting Bureau (IBB). In the absence of a permanent director, Jeffrey N. Trimble, has been IBB Deputy Director for several years.

New BBG CEO and Director John F. Lansing joined the agency last September.
 

READ MORE: One BBG executive apologizes, others keep silent, BBG Watch, December 30, 2015

 

OIG – Management Assistance Report: Broadcasting Board of Governors Incident Response and Reporting

 

The overall purpose of an IT incident response and reporting (IR&R) program is to allow an organization to detect cyber security incidents rapidly, minimize loss and destruction, identify weaknesses, and restore IT operations quickly. Acting on OIG’s behalf, Williams, Adley & Company-DC, LLP (hereinafter referred to as Williams, Adley), an independent public accounting firm, evaluated the effectiveness of the Broadcasting Board of Governors (BBG) IR&R program for the period October 1, 2014, through May 26, 2015, in accordance with BBG information security policies and procedures, Federal law, and applicable standards and guidelines.
 
Overall, Williams, Adley determined that BBG’s IR&R program was not operating effectively. Specifically, for all seven cyber security incidents reported to BBG’s incident response team, the Computer Security Incident Response Team (CSIRT), during the scope period, BBG’s incident response team did not fully comply with categorization guidelines, reporting requirements, and remediation timelines as required by the U.S. Computer Emergency Readiness Team (US-CERT). Williams, Adley determined that one cyber security event was not properly categorized as a cyber security incident. In addition, category levels were not assigned to any of the seven cyber security incidents tested. Furthermore, two cyber security incidents were not reported to US-CERT as required, and another cyber security incident was not reported to US-CERT in a timely manner.
 
These deficiencies may have occurred in the IR&R program because BBG’s IR&R policy and procedures were not finalized until May 7, 2015. However, Williams, Adley found that even if the policy and procedures had been implemented during the evaluation period, the documents were ineffective in achieving the desired and Federally required results of an effective IR&R program. For example, BBG’s policy and procedures lacked a defined process to correlate IT events and cyber security incidents.
 
Without an effective IR&R program, BBG may be unable to properly identify and respond to unauthorized breaches, identify weaknesses, and restore IT operations timely, which may impede BBG’s ability to achieve its core mission.
 
In its response (see Appendix B) to a draft of this report, BBG concurred with OIG’s recommendation to amend and implement BBG’s IR&R policy and procedures. OIG considers the recommendation resolved, pending further action. BBG’s response to the recommendation and OIG’s reply are presented after the recommendation.

 

SEE MORE

 

 

An Earlier Incident

 
The Iranian Cyber Army managed to launch a successful hacking attack on the Voice of America (VOA) main news website in February 2011, replacing it for several hours with and anti-U.S. message addressed to the then Secretary of State Hillary Clinton.

The February 21, 2011 message from the Iranian Cyber Army posted on the Voice of America homepage following a successful hacking attack said:

 

“We have proven
 
that we can”
 
“Mrs. Clinton Do you want to hear the voice of oppressed
nations from heart of USA ?” [sic]  
“Islamic world doesn’t believe USA trickery .” [sic]  
“We call on you to stop interfering in Islamic countries .” [sic]

 

An Earlier OIG Report on BBG Cyber Security

 
According to an earlier 2014 Office of Inspector General (OIG) audit, the Broadcasting Board of Governors Information Security Program showed “a significant deficiency.”

Many of these deficiencies have not been addressed by the IBB leadership since 2014.

OIG: “Collectively, the information security control weaknesses we identified in this audit represent a significant deficiency to enterprise-wide security, as defined by OMB Memorandum M-14-04.3 We identified control weaknesses in 9 of the 11 information security program areas that considerably impacted BBG’s information security program. The most significant information security deficiencies are related to the risk management framework, continuous monitoring program, [Redacted] (b) (5)  contingency plans, configuration management, and the incident response and reporting program. In addition, information security program areas that need improvement include Plans of Action and Milestones (POA&M), remote access, identity and access management, and security training. Since FY 2010, the weak (and in some cases lack of) security controls adversely affected the confidentiality, integrity, and availability of information and information systems. As an example, according to a BBG official, the weak security controls resulted in the hacking of BBG Web sites in 2011.”