Homeland Security has a Data Problem

Saw Something, Saying Something, Do Something

09 Jun 2021

What is a writer to do when a story has three equal headlines? Each drawn this month from public documents and government reports from the Inspector General.

Headline Number One: Homeland Security has a Data Problem!

Headline Number Two: Inspector General Demonstrates 22% Error Rate with FEMA Programs.

Headline Number Three: FEMA to provide $1B for infrastructure and communities.

Headline number one derives from the most recent DHS OIG report (published 24 MAY 2021). The Inspector General states that persistent data problems hinder DHS mission, programs, and operations. Rather stinging statement.

Headline number two was published by the same IG earlier this month on the 7th of May 2021. They didn’t make the headline they should have. I worked hard to find the information. But it is in there.

Headlines number three was also released this week (the last week of May 2021). We’ve decided to entrust FEMA with an additional $1 billion in grants for infrastructure and communities. As Rachel, my niece, said over dinner this week: So, that means about $200 million in errors?

I guess so.

What could possibly go wrong? Let’s explore than now.

OIG

We have a team of professional auditors and related professions working for the Office of Inspector General. I have met several, worked with some. They are plain people. We enjoyed having them use our software and collaborate with us. They serve as our nations’ watchdog bringing attention to problems. To aid with context, I am pulling a few phrases from their website: oig.dhs.gov

Congress enacted the Inspector General Act of 1978 to ensure integrity and efficiency in government. Both the Department of Homeland Security (DHS) Act and this Office of Inspector General (OIG) were established by Congress in 2002. The OIG is led by an Inspector General who is appointed by the President and subject to Senate confirmation.

The DHS OIG provides their vision statement this same website:

Drive transformative change to improve DHS programs and operations and promote a safer homeland.

And on the website, they provide their mission statement too:

To provide independent oversight and promote excellence, integrity, and accountability within DHS.

I applaud the efforts to promote excellence, integrity, and accountability within our government. Excellence is a high bar – but integrity and accountability ought to be an achievable standard. Promoting excellence is the right mindset and right phrase, though. No one of us wants to parade around saying: Good is good enough.

I sure have said: Good is good enough – because it can be. Even in those moments when accepting good, we tacitly acknowledge that we’ve missed the mark on excellence. Excellence is an excellent goal.

We have asked these people (The OIG) to audit financial activity, examine policy compliance whilst exploring potential crimes. We’ve given them a forum. They publish reports they post to a public website. You can also subscribe to their reports. Their reports go to the U.S. Congress and agency heads.

Their findings this month ought to have racked us all – put us back in our chairs with shock and disappointment. FEMA overpays and mismanages funds such that there is a 22.3% error rate during the recent years. 0% is the goal. 10% is the OMG reporting level. 22.3% is a serious deviation from norms. Now we’ve asked FEMA to mismanage another $1 billion – should we really expect $200 million to get flushed down the drain? No.

That is why we’ve asked the Inspector General to look, research, audit, and report. I really want to call the OIG an independent third party – but they are not. The Inspector General and the staff all work for the same agency they are reporting on. Imagine what a truly independent auditing team may discover?

Here is this team pointing at a raging issue and we don’t listen.

Shame on us.

9/11 of 2001 left a huge and profound mark on my life as it did so many. My personal connection to the terrorist attacks of that day remains remote, yet nearly every major event in my life and career opportunity rings with echoes of that day. In September of 2005, I stood at Fort Hood in Texas under government orders joining a military unit as a civilian. Months of training followed by a full year deployment. Because of 9/11, I spent a year in Iraq. Because of 9/11, the nephew we raised spent a year in vicious combat as a U.S. Marine. Because of 9/11, Jake, the nephew, lives with pain. The VA granted him a 100% disability for surviving an IED attack on his HUMVEE. Most Americans I know have been touched by the events and aftermath of that day.

Lessons from that horrible Tuesday morning anchor my feet to the soil and grip my soul. One of those lessons is: Listen to the warnings. Listen to all of the warnings.

If you hear a fire alarm, leave. Don’t ever think that this phone call or that email or anything is more important that the voice telling you to react. That voice/alarm may be official, internal, or something else. We should have learned to pause, look around, and evaluate.

In the hours before the 1941 attack on Pearl Harbor, U.S. Navy ships observed enemy subs nearby. Their alerts failed to bring the needed alarm. It was a quiet Sunday morning. Responding to an alert about subs requires effort.

What should the Navy do about a few enemy submarine sightings? Wake everyone up, push their ships to sea? Expect a full-scale air attack? Is pushing ships to sea more hazardous than leaving the fleet in harbor? The event happened 80 years ago.

The terrorist attacks of September 11th, 2001 happened 20 years ago.

We admitted to ourselves that our intelligence agencies failed to communicate. We made this assessment in the months and years following. The Department of Homeland Security formed in 2003 as a result of the attacks.

Our government pulled 22 agencies together. Which resulted in massive redundancy. I have a friend who was the CIO (chief information officer) for DHS. I subsequently learned she was one of 30 CIOs at the new agency. When we worked together in the early aughts she was top-flight at cybersecurity and IT planning. At DHS, she was a silenced voice and eventually pushed out. I don’t know who could have survived that. The agency is massive with 240,000 employees and thousands of contractors.

The agency is our sentry, the guardian of our homeland. The DHS staff and agents serve as a trip wire around our nation. The cry was: “Never again” and “Never forget”. We put the airport security checkers, border agents, customs, and Coast Guard together forming a line of sentinels. We gave the agency intelligence capabilities with strict orders to share and communicate with other intelligence agencies. We gave them authority to defend cybersecurity and critical infrastructure. We’ve asked them to counter weapons of mass destruction. We’ve also granted the employees of the agency law enforcement authority through U.S. Code section 1315 B. Not all employees always have the authority, but the law permits the secretary to designate any of the employees a law enforcement officer with a pen stroke.

In the early years, we learned “See something, say something”.

Yet what do we do when DHS employees “say something”. When DHS employees state FEMA has a problem managing money, the inspector general’s office is saying something. They print it. They distribute it. And the information can be fetched with a mouse click. The IG staff “see something” and they have seen it for years.

See Something

This catchphrase always suffered from better intentions than efficacy. Clearly, we were supposed to call the police when we saw a backpack or package left behind in a public space. Otherwise, it blows up. Mobile phones and social media allows us to see a lot more than we use to see. And we’ve learned to say something about what we are seeing.

I’ve learned it is hard to get heard.

Evidence is difficult to look at.

We are slow to respond to facts.

See something, say something barely touches on the responsibility that  we have to do something. And doing something is so hard. Yes, of course I am talking about social responsibility and social justice. And yes, of course I am talking about the Department of Homeland Security. Yes, all of it.

The OIG has stated plainly, boldly, publicly that our national foremost agency for security of our homeland is at serious risk. Their mistakes and problems hinder their own missions.

What happens to homeland security if their own mantra of “see something, say something” fails, or even backfires on themselves?

Can the American people do something in the face of this continued scrutiny?

We all feel sufficiently overwhelmed with other problems, right? I do. I assume you do to. Still, the duty rests with us. We must live with our choices.

The OIG states that DHS has serious problems with data management and financial management. What is our action? What choice do we make? We can either (A) do something; or (B) do nothing. If we do nothing, we acknowledge that DHS won’t change. What they are doing is good enough for us.

Let’s look at the most recent IG report (OIG-21-37 dated 24 May 2021). It is titled: “Summary Report: Persistent Data Issues Hinder DHS Mission, Programs, and Operations”. The report opens with the section “What we found?”. I quote:

Significant challenges hinder the Department of Homeland Security’s day-to-day use of some of the Nation’s largest and most diverse databases to support its vast mission operations. DHS needs to improve the collection and management of data across its multiple components to better serve and safeguard the public. The data access, availability, accuracy, completeness, and relevance issues we identified presented numerous obstacles for DHS personnel who did not have essential information they needed for decision making or to effectively and efficiently carry out day-to-day mission operations.

We attributed the systemic data issues identified to widespread deficiencies that can be grouped into five categories: security and technical controls, program and operational oversight, guidelines and processes, system design and functionality, and training and resources.

DHS has improved its information security program and developed various plans and strategies to improve the quality and management of its data. Corrective actions in response to recommendations made in our prior reports are also good steps forward. However, follow-through and continued improvement will be essential to address the internal control issues underlying the data deficiencies we highlighted. Only then can the Department be assured it captures reliable and accurate data to accomplish its mission responsibilities.

What goes wrong when data is compromised? Let’s look at the spring of 2021 for a few clues. We had a gasoline pipeline fail for days because their systems were compromised by cyber-criminals with ransomware – software that seizes control of systems until a ransom is paid. What happened? We had a short-term fuel crisis. We issued warning to not store petrol in plastic shopping bags. Fist fights and long lines at fuel stations. Hospitals during covid fell victim to similar software.

Hey, even my own super confidential personal data is available now. I held a top secret clearance. All of my data was collected by the Office of Personnel Management. They got hacked. Those data got stolen. For almost a decade, Uncle Sam has paid for monitoring of my on-line profiles. I assume some bad-guy has it all: every address, every identification number, interview information, employment and salary history, bank and financial data  .

The University of Vermont Medical Center was hack this recent winter. It limited their abilities to provide patient care.

These are real risks that impact real people.

As the nation’s largest law enforcement agency, as a constituent member of our intelligence process, as the defender of the homeland, DHS needs to protect their data to protect us.

Their failure here, fails us all.

Their failures already harm us all!

It can only get worse.

The IG examined data for the last several years. Their findings repeatedly hit on these four items:

  1. DHS did not adequately design, implement, and operate effective controls over initial authorization of application, database, and operating system accounts.
  2. DHS did not consistently implement technical controls over logical access to key financial applications and underlying system software components.
  3. DHS did not fully implement controls over the generation, review, analysis, and protection of application, database, and operating system audit logs.
  4. DHS did not implement controls related to review and revocation of system access to ensure consistent and timely removal of access privileges from financial systems and general support systems for transferred and/or terminated employees and contractors.
  5. Page after page, the report condemns DHS for their mismanagement. Each point seems independently terrible and horrifying. Yet, the failures are not isolated – yes, personnel records, intelligence data, medical data all face risks. As do financial data, etc, etc. It is bad. And the IG says so, clearly.

The IG sees a problem. See something say something.

The IG states the problems. The report is 36 pages long. The report relies on data collected during the recent five years. The information is broad, deep, and historical.

That’s bad, right?

Say Something

I’ve got to tell you that DHS-OIG Report 21-33 is one of the worst written reports I have ever read – worst as in poorly organized and poorly written. To their benefit, the IG was not raised by a newspaper person. In the report, on page 8 in a blue-and-black table, they report that FEMA’s Public Assistance – Disaster Supplemental Funding program suffers from a 22.3% error rate. All other DHS agencies had error rates below 6%. Several of the agencies had error rates down near 1 and 2%. 0% error rate is terrific, but we’re human. 1 and 2% error rates for overpayment of bills seems mildly acceptable.

The federal law require reporting when the numbers cross 10%. That should be the big-bold line informing us that there are problems. Two of FEMA’s funding programs run darn close to 20%. One over at 22.3% and one just under at 18.6%.

The FEMA funding program that has the 22% error rate – that is the precise program that we are currently using to fund the COVID-19 pandemic response.

The FEMA funding program that has the 22% error rate – that is the precise program that we engage when there is a significant natural disaster.

That FEMA funding program is FEMA’s headline program. That the biggie. That’s the one we all hear about after a hurricane tears through Louisiana.

We’re asking FEMA to manage nearly $55 Billion in COVID funding through the self-same program that they have a 22% error problem with.

The OIG sees this as a problem.

Do we see this as a problem?

Do we accept this as normal operational issues? Or do we want to change this?

Are we willing to lose $10 billion in overpayments as a result of our COVID response?

$10B is the annual budget for the City of LA.

Come on, $10B is a lot of money. And $10B is an unacceptable loss.

22% is an unacceptable error rate.

The Inspector General points their finger at this problem. Non-partisan, non-political, even technical an insider organization. They clearly, boldly state: FEMA has a problem managing money through their disaster response program.

They’ve said it. We see it (if we go look at the data).

What do to?

Do Something?

So far during this spring of 2021, our response to FEMA’s mismanagement of funds is to give them more funds.

Our normal tools for improving mismanagement of information and money is to do something with computers. But…

But, we need DHS and FEMA to make dramatic and immediate improvement to their computer and data systems.

Certainly, I have some ideas. Others do to. Before we get to ideas, we need the DHS to acknowledge their problem before finding a systemic and long-term means of addressing the core issues.

As a personal perspective, I spent over three months this winter enhancing our software that manages federal funds (including FEMA’s disaster grants). I was shocked that most of what we did was remove code. We simplified code. We reduced risks and limited options. We were doing great and faced no criticism. And yet, every removed feature, every line of code we removed, everything that we shed from our system enhanced our posture.

Frankly, I see DHS and FEMA responding this criticism by asking for more system and more money.

No idea will be implemented until the DHS and FEMA “stop, look, and listen”.

It will take senators, congressional representatives, the press, and cultural influencers to help us stop this cycle of problems.   

These issues are predictable. Folks in 2001 and 2002 called them out as we aggregated 22 federal agencies into one massive Department of Homeland Security.

They are solvable too. We expect banks and investment firms to manage $55 Billion relatively error free.

We can do it. I want to be a part of the solution. No one is asking me, yet. More the point, no one cares, yet. No one yet cares about these three headlines:

Homeland Security has a Data Problem!

Inspector General Demonstrates 22% Error Rate with FEMA Programs.

FEMA to provide $1B for infrastructure and communities.

Maybe we are not yet seeing the connection between them. DHS collects data on everything – and that is at risk of being leveraged against us. FEMA, part of DHS, fails to focus on their fiscal management responsibilities resulting in a 22% error rate. And we keep giving more money to DHS and asking them to do more for us.

The Inspector General is not reading a crystal ball or operating from some prescient plane or consulting  astrological sages providing warning about an unknown future. The IG states these issues exist, now. Like a tooth ache or chest pain, we ignore this information at our own peril.