News

Actions

Recent audit found USPS computer network vulnerable to threats

Post Office seal
Posted at 6:10 PM, Aug 03, 2020
and last updated 2020-08-03 18:38:42-04

As the November election approaches and more discussion around how to handle voting arises, a recent audit of the United States Postal Services computer network found security issues, leaving the network vulnerable to threats and theft.

A 20-page long redacted U.S. Inspector General audit describes how inspectors secretly cyberattacked U.S. post office computer networks over and over before March, and found the USPS' cybersecurity team, known as CSOC, "detected very little" of the attack.

Inspectors discovered the postal service neither developed nor used metrics to effectively measure response capabilities. The report also claims managers "did not track or monitor" millions of dollars invested in post office cybersecurity, and that staff had "incident response tickets" open for over a year with no status update.

Left unchecked, the report said these findings "could possibly lead to theft" of sensitive information, including personal IDs. The flaws could also weaken systems critical to mail delivery and leave law enforcement in the dark on attempting to trace any evidence of cyberattacks back to their source.

Despite all this, Dr. Richard Harknett, co-director of the Ohio Cyber Range Institute, said this audit is a very good thing, since it has identified critical flaws that can be fixed. These flaws, he said, may never have come to light if the system wasn't being scrutinized ahead of the November election.

"If we weren't talking about mail-in voting, we wouldn't be talking about this IG report," said Harknett.

Harknett said it's important to keep in mind that there is no such thing as 100% safe and defended when it comes to cybersecurity.

"So, at one level, when you read this IG report, I think it's important to keep into context that it's not just the postal system," said Harknett. "Our federal system, which are pretty complex, very large organizations have these gaps."

But as the coronavirus pandemic continues on in the United States, a high numbers of mailed ballets are expected this November -- records were shattered in Kentucky and Ohio during the delayed, mailed-in primary elections earlier in 2020.

"It's an institution struggling," said Tray Grayson, former Kentucky Secretary of State. "It struggles with mail volume. It struggles with its business model."

He said he isn't yet convinced that a reliance on mail-in voting is the answer this November, suggesting instead more early voting to allow for a higher quantity of in-person ballots cast.

When asked for comment, a post office spokesperson issued this statement:

The U.S. Mail remains a secure, efficient, and effective means for citizens to participate in the electoral process, and the Postal Service is proud to serve as a critical component of our nation’s democratic process. All U.S. Mail is protected by more than 200 federal laws enforced by the United States Postal Inspection Service, one of the nation's oldest federal law enforcement agencies. The Inspection Service has a proud history of identifying, arresting, and assisting in the prosecution of criminals who use the nation’s postal system to defraud, endanger, or threaten Americans.

The Inspection Service maintains robust mail theft, mail fraud, cyber, and security programs that identify, prevent and mitigate issues that could undermine the integrity of election mail. The Inspection Service works closely with the Postal Service as well as our local, state and federal partners, to address customer concerns involving election mail. While election mail is in the hands of our hard-working postal employees, the Inspection Service stands ready to protect it regardless of public health emergencies or natural disasters.

Post office managers said the methods used to test their network were "flawed by design" and not a reliable indication of the security of the USPS network.

Read the full (redacted) OIG report below:

OIG Report by WCPO Web Team on Scribd