The Federal Emergency Management Agency has made several changes to its internal security posture following a cyber intrusion that prompted Homeland Security Secretary Kristi Noem to purge two dozen of its technology staff in a dramatic move announced late last month.
The firings were made public on Aug. 29, following a routine review of the agency’s systems, which uncovered a vulnerability “that allowed the threat actor to breach FEMA’s network and threaten the entire department and the nation as a whole,” the Department of Homeland Security said at the time. The terminations also targeted the disaster response agency’s top technology and cybersecurity officers.
The vulnerabilities may be linked to a series of internet security holes and applications that weren’t entirely secured across the agency’s technology environment, two people familiar with the matter told Nextgov/FCW, citing recent updates observed within the agency.
The people were granted anonymity because they were not authorized to speak publicly. They cautioned that the observations are merely suspicions based on what they knew of agency security changes and that they had no direct knowledge of the cause of the breach.
On Friday, FEMA’s security office blocked agency staff from accessing a handful of apps and websites, including X, Facebook, YouTube and Reddit, according to both people and internal communications sent that day that were seen by Nextgov/FCW. The websites are blocked “due to their nature,” the email reads, without elaborating.
Additionally, FEMA staffers can no longer disable internet security services provided by Zscaler without a password, both people said. Zscaler is a cloud security company that sells internet and application security tools.
The new Zscaler policy is notable, the people said. Prior to the new password rule, employees could navigate to an interface and disable Zscaler security controls within seconds by typing a reason for disabling the services into a query box. Once completed, the security layers could be turned off indefinitely, or until the corresponding laptop computer was restarted.
In addition, poor mobile device configurations tied to a Slack channel used by a major government contractor could have also contributed to the security failures, one of the people said. FEMA staff use Microsoft Teams, but this particular contractor uses Slack to coordinate and exchange information between contracted workers and agency staff.
Nextgov/FCW is withholding the contractor’s name to prevent potential targeting of their systems by malicious actors.
The contractor does not have the same security controls in place for users who access its Slack workspace on mobile devices, as the initial login on a mobile device “doesn’t expire,” the person said, noting that, if a contractor’s Slack-enabled phone is stolen, then sensitive data could easily be gleaned and pilfered once a thief unlocks the phone.
Charles Armstrong, FEMA’s former chief information officer and the highest level IT employee terminated by Noem, declined to speak with Nextgov/FCW when contacted multiple times for this story.
Nextgov/FCW has also emailed FEMA and DHS requesting comment.
An internal FEMA email dated August 18 previously obtained by Nextgov/FCW ordered all agency employees to change their passwords “due to recent cybersecurity incidents and threats.” It required password changes within two weeks of the email being sent. The email did not provide details about the security issues.
FEMA’s IT employees “resisted any efforts to fix the problem,” avoided scheduled inspections and “lied” to officials about the scope of the cyber vulnerabilities, DHS said when Noem first announced the staff terminations last month.
“Failures included: an agency-wide lack of multi-factor authentication, use of prohibited legacy protocols, failing to fix known and critical vulnerabilities, and inadequate operational visibility,” DHS said.
DHS was impacted in a sweeping, global hack involving Microsoft SharePoint products in July, Nextgov/FCW first reported. It’s not clear if that incident is tied to the firings in FEMA, a component agency of DHS.
