DHS disaster-response database falls short

The Homeland Security Department's primary database for emergency preparedness and response lacks adequate continuity-of-operations plans and protections for sensitive data, DHS' inspector general has concluded in a new report.

Run by the department's Emergency Preparedness and Response Directorate, the National Emergency Management Information System (NEMIS) tracks incident coordination efforts. Officials use the database for activities such as managing disbursements to disaster victims and spending on recovery efforts at the federal and state levels.

Richard Skinner, DHS' IG, wrote in the report released Nov. 7 that "due to database security exposures, there is an increased risk that unauthorized individuals could gain access to critical [Emergency Preparedness and Response] database resources and compromise the confidentiality, integrity and availability of sensitive NEMIS data." He noted that the directorate might not be able to recover the database after a disaster.

The report is another black eye for the directorate that includes the Federal Emergency Management Agency and oversees national efforts to prepare for and respond to disasters. Congress and the public recently criticized DHS and FEMA for their response to Hurricane Katrina, which devastated the Gulf Coast in August.

The IG's report recommends that Barry West, FEMA's chief information officer, fix all remaining vulnerabilities and guarantee that appropriate access-control measures are in place. The CIO's office should also create and implement annual contingency training and testing programs, the IG report states.

In his written response -- which was dated Aug. 10, nearly three weeks before Katrina hit New Orleans -- West said his office had implemented 71 of the 100 security improvements the IG had suggested. West said the report spurred him to mandate annual independent security assessments of NEMIS starting in fiscal 2006.

NEMIS' lack of data security could put thousands of Americans' personal information at risk, said Jennifer Kerber, director of homeland security at the Information Technology Association of America.

The lack of sufficient security and backup procedures for NEMIS data is alarming but not entirely surprising, Kerber said. Poor access control has led to major data breaches in the private sector, she said. "You would find a lot of places don't have as secure a database as they think they do," she added.

"I'm surprised, if [NEMIS] is responsible for that amount of activity, [that] it is not more well-protected," said Mark Ghilarducci, vice president of James Lee Witt Associates, an emergency-management consulting firm. Previously, Ghilarducci was a deputy director at the Governor's Office of Emergency Services in California.

During emergencies, FEMA hires thousands of temporary workers who need access to NEMIS and other computer systems, Ghilarducci said. The directorate needs to create a robust gatekeeping system and ensure that users cannot access the systems after they leave FEMA, he said.

The directorate also should conduct thorough audits of its IT systems to prevent attacks, Ghilarducci said. European hackers once hid pornography on Office of Emergency Services' servers, he said, but the diligence of the IT security staff led to the discovery and removal of the material. Without conscientious auditing, NEMIS might not find that kind of intrusion as quickly, he said.

In its defense, Ghilarducci said, FEMA is suffering from a loss of expertise and funding. "There's no excuse for [their NEMIS performance], but I understand the challenges they face," he said.