House Subcommittee on Federal Workforce, US Postal Service and Census
Examining Data Security at the United States Postal Service
2154 Rayburn House Office Building
November 19, 2014
The Honorable Blake Farenthold (R-TX), Chairman, Subcommittee on Federal Workforce, US Postal Service, and Census
- A substantial number of mail covers were made available to various law enforcement agencies without sufficient justification.
- This information was revealed in a recent review by the USPS Office of Inspector General, which found program deficiencies.
- I’m concerned about how long it took the Postal Service to act once its data breach became apparent.
The Honorable Stephen Lynch (D-MA), Ranking Minority Member
- My concern is whether or not technology exists that allows the reading of mail without opening the envelope. This, I’m told, can be done with email without opening it.
- I’m concerned about the delay that took place between the knowledge of the breach and notification of employees.
- As soon as you know that personal information has been obtained, employees should be notified immediately. Doing anything other than that doesn’t work.
- The secret squirrel stuff as to who and how this is being done won’t fly.
- I am very disappointed in the way the Postal Service has handled this. This may need a legislative remedy. You need to be more forthcoming than you were in this case.
The Honorable Elijah Cummings Ranking Minority Member of the full committee (D-MD)
- Chairman Issa has ignored several of my requests for hearings on data challenges within the public sector.
- I’m concerned about the adversarial nature of Mr. Issa’s and Mr. Farenholdt’s press releases on this matter.
- I want to thank the Postal Service regarding its work with the committee on this issue.
The Honorable Danny Davis (D-IL)
- I, like other of my colleagues, am concerned about the delay in notification to employees and customers.
Witnesses and Testimony
Mr. Randy Miskanic Vice President of Secure Digital Solutions, United States Postal Service
- With the discovery of the recent cyber intrusion into some of the Postal Service’s information systems—an incident that has received broad media coverage—our Mass Data Compromise Response Plan (MDCRP) was invoked to ensure the appropriate level of technical, investigative and communications response. Given my prior experience in Secure Digital Solutions and in federal law enforcement, the Postmaster General appointed me to the role of Incident Commander to direct MDCRP activities.
- Protecting the privacy of customer and employee information is a priority for the Postal Service.
- The intrusion is limited in scope and nearly all operations of the Postal Service are functioning normally. Sadly, this incident is similar to a growing number of attacks reported by many other federal government entities and U.S. corporations.
- We are not aware of any evidence that potentially compromised customer or employee information has been used to engage in any malicious activity, and we are working with impacted individuals to mitigate potential misuse of such information.
- As our investigation of this incident progressed, it became apparent that the intrusion was very sophisticated and had been developed specifically to exploit the Postal Service computing environment. In fact, over the course of the investigation, we learned of the dynamic tactics employed by the adversary to evade detection by most commercial information security tools.
- One of our biggest challenges was maintaining secrecy regarding the remediation of several of our infected systems. Therefore, we worked closely with the U.S. Computer Emergency Readiness Team (US-CERT), the FBI and other forensic experts to develop a strategy for protecting our network.
- On September 11, 2014, the U.S. Postal Service Office of Inspector General (USPS OIG) reported that they received information from the US-CERT regarding four Postal Service servers that were sending unauthorized communication outside of the organization, indicating that these systems may have been compromised. The USPS OIG alerted the Postal Service’s Corporate Information Security Officer (CISO) of the suspicious network activity.
- On September 19, the Postal Service CIO reported the suspicious network activity to the Postmaster General (PMG). The PMG was also advised at that time that the cyber intrusion investigation was ongoing and that only the USPS OIG and USPIS should take action to mitigate the threat and that any premature action could further endanger the network. Subsequently, information regarding this incident remained highly confidential and restricted to only individuals directly involved with the investigation. Due to the broadening scope of compromise and resulting forensic analysis requirements, data was submitted to the U.S. Department of Defense Cyber Crime Center for forensic analysis.
- The Postal Service CIO concurrently invoked the MDCRP—declaring that the critical incident would be managed through a formal Incident Command structure. As the appointed Incident Commander, I subsequently formed teams to handle various aspects of the plan—specifically, Technical Branch, Communications Branch and Investigative Branch teams.
- On October 17, the FBI Cyber Unit provided a Top Secret/Sensitive Compartmented Information briefing to the Postal Service Incident Command leadership and advised that the adversary was – 5 – very sophisticated and that implementing mitigation activities or communicating the threat to employees or the public at that point could result in the threat being further embedded into the Postal Service network. The FBI also reemphasized the need to exercise a high level of operational security during the management of this critical incident.
- On October 22, the Deputy Postmaster General, U.S. Postal Service Inspector General, Chief Postal Inspector and I conducted separate classified briefings for House Oversight and Government Reform Committee and Senate Homeland Security and Governmental Affairs Committee staffs. The Committee staffs were informed of the current status of critical incident activities, the proposed plan to implement remediation within the Postal Service network, and the suspected compromise of employee PII data.
- An inability to effectively answer employee, customer, and business partner questions regarding the specific content and victims of the compromised data created yet another concern. Prematurely announcing the intrusions before these important facts were discovered would have undoubtedly led to a great deal of frustration and confusion.
- On November 4, the investigative team—with the assistance of US-CERT—confirmed that the Postal Service employee PII data was copied and stolen from the Postal Service network. The scope of the compromised data included, names, dates of birth, social security numbers, addresses, beginning and end dates of employment, emergency contact and other information.
- New network security safeguards put into place over this two-day period included removing workstation administrator rights and enhancing network monitoring. We also upgraded and segmented Administrative Domain Controllers, removed compromised systems and accounts, and implemented two-factor authentication for administrative accounts.
- To further reduce the likelihood of phishing or spear-phishing emails—common and increasingly sophisticated ways of compromising computer users and systems—impacting the Postal Service network, access to personal email sites such as Gmail or Yahoo was, and continues to be, blocked.
- Key postal stakeholders, including Union and Management Association national presidents, strategic business partners, including mailing industry leaders, and heads of key federal agencies were personally contacted and informed of the security breach.
- At this time, we do not believe that Postal Service transactional revenue systems in Post Offices, as well as on usps.com where customers pay for services with credit and debit cards, were affected by this incident.
- The investigation indicates that all 800,000 plus Postal Service career and non-career employees nationwide, including those working for the Postal Regulatory Commission, the Office of Inspector General and the U.S. Postal Inspection Service, have been affected by the breach.
- The Postal Service is making credit monitoring service available to all employees, as well as those who left the organization since May 2012, at no charge for one year.
- During the activation of our remediation plan, Carnegie Mellon’s CERT-CC performed a vulnerability assessment on systems that were compromised. CERT-CC found that the Postal Service has solid policies for information security; however, various business units do not always follow these policies. It also found that critical systems could be protected by better segregation from the general IT user systems.
- Going forward, the Postal Service will also increase our collaboration with government agency partners such as US-CERT and the National Cybersecurity and Communications Integration Center (NCCIC) to understand tactics used by cyber security adversaries, as well as other threats to national security.
Mr. Guy Cottrell, Chief Postal Inspector, United States Postal Service Inspection Service
- My testimony today will focus specifically on the Postal Service’s mail cover program, and the controls in place to ensure appropriate privacy protections are maintained. I will also update the Committee on the progress made regarding recommendations contained in the Postal Service’s Office of Inspector General’s Report; “Postal Inspection Service Mail Covers Program” released in May 2014.
- A mail cover is the process by which a nonconsensual recording is made of any data appearing on the outside cover of any sealed or unsealed class of mail matter (e.g., the name and address of the sender and addressee) or by which a record is made of the contents of any unsealed class of mail matter, for one of the following reasons: (i) To protect national security, (ii) To locate a fugitive, (iii) To obtain evidence regarding the commission or attempted commission of a crime, punishable by law by imprisonment for a term exceeding one year, (iv) To obtain evidence of a criminal violation or attempted criminal violation of a postal statute, or (v) To assist in the identification of property, proceeds or assets which are forfeitable because of a violation of criminal law.
- The regulations governing mail covers are found at 39 CFR § 233.3. The regulations state the Postal Service maintains rigid control and supervision with respect to the use of mail covers as an investigative technique for law enforcement or the protection of national security. This function has been delegated to me in my position as the Chief Postal Inspector.
- Any personal information obtained in connection with the mail cover program is protected in accordance with the Privacy Act. Information obtained from mail covers must be treated as restricted, confidential information. Inadvertent or intentional compromise of an investigation may result from someone informing the subject a mail cover is in effect or by revealing information obtained from a mail cover. Only postal personnel are authorized to record information relevant to mail covers and this information should only be disclosed at the express direction of the Postal Inspection Service for a law enforcement purpose as described above.
- Courts have found there is no reasonable expectation of privacy with respect to information contained on the outside of mail matter.
- No reasonable expectation of privacy exists which would otherwise be protected under the Fourth Amendment as a person has no legitimate expectation of privacy in the information voluntarily turned over to a third party. There is an obvious need for the Post Office to read and review information contained on the outside of a mail piece in order to ensure it reaches its destination.
- It is important to note the lack of a reasonable expectation of privacy applies only to the information contained on the outside of the mail piece. Any information or matter contained within a mail article sealed against inspection remains subject to the protections of the 4th Amendment and the requirement of a Federal search warrant.
- Mail covers may be used as an investigative tool by other law enforcement agencies, however, a written request must be made through the U.S. Postal Inspection Service. Requesting law enforcement agencies must treat mail covers as restricted and confidential information. As with internal mail cover requests outside law enforcement agencies must demonstrate reasonable grounds for requesting and using a mail cover. The requesting law enforcement agency must explain what criminal law the subject of the mail cover is violating and how the mail cover could further the investigation or provide evidence of a crime. Mail covers are authorized only when all requirements are met within the written request.
- Trends over the past five years indicate a continued reduction in the use of mail covers by outside law enforcement agencies. This trend is consistent with the decreased use of mail covers by the Postal Inspection Service, with one significant exception. In late FY 2012, the Postal Inspection Service revised procedures in connection with criminal investigations into dangerous mail and narcotics investigations.
- The Inspector General’s first recommendation advised the Postal Service to improve controls to ensure responsible Postal Inspection Service personnel process mail covers as required. The Inspection Service has taken those steps.
- The second recommendation advised the Postal Inspection Service to establish procedures to ensure periodic reviews of mail covers are conducted as required. The Inspection Service revised procedures for conducting periodic reviews of mail covers, which are incorporated into the annual comprehensive self-assessment process.
- The mail cover is an important investigative tool, and we welcomed the Inspector General’s review of the mail cover process to help us safeguard its future use.
- The mail cover has been in use, in some form, since the 1800’s. Today, the most common use of this tool is related to investigations to rid the mail of illegal drugs and illegal drug proceeds. Our narcotics program emphasizes the safety of postal employees and strives to protect them from handling mail that contains narcotics and trafficking proceeds and the associated violence.
- Contrary to recent media assertions, mail imaging is not a “surveillance” tool – it is a mail processing tool.
- Over the past year media reports have conflated the use of mail covers, mail imaging, and the MICT process to suggest a conspiracy to spy on the mail of the American public—whom we are honored to serve and who trust us to keep the mail safe. This notion could not be further from the truth.
Ms. Tammy Whitcomb, Deputy Inspector General, United States Postal Service Office of Inspector General
- Our audit found that mail cover procedures are not always followed:
- In 13 percent of cases, external mail cover requests were approved without adequate justification either because the requestor did not include sufficient justification in the request or the justification was not adequately entered into the electronic system.
- Authority to approve mail covers was not always delegated appropriately: 21 percent of mail cover requests were not approved by authorized individuals.
- The Postal Inspection Service did not ensure that outside law enforcement returned mail cover information on time. In 61 percent of cases, mail cover records were not returned within 60 days as required.
- The computer system used to process mail covers had flaws. We found more than 900 cases where the system incorrectly showed a mail cover was active even though the cover period had ended. System problems
also prevented mail covers from being extended, and sometimes the same tracking number would be issued to different requests.
- There were delays in processing mail covers both by the Postal Inspection Service and at Postal Service facilities.
- Finally, the Postal Inspection Service did not carry out its required annual reviews of the program.
- Our audit recommended that the Postal Service and Inspection Service improve controls over the mail covers program, establish procedures to ensure the 4 required program reviews are conducted, and fix the electronic system.
Mr. Tim Edgar, Visiting Fellow, Watson Institute for International Studies Brown University
- “Is nothing sacred?” has been the most common reaction of friends and colleagues to the news about privacy problems at the United States Postal Service (USPS). The dismay says a lot about the trust that Americans place in the post office to protect the privacy of their correspondence.
- The post office seemed to offer a last refuge for American privacy. It is indeed alarming that the government is capable of invading our privacy even if we choose to live our lives as complete technophobes, without ever touching a phone or a computer.
- The subject of today’s hearing is not the opening of mail, which requires a warrant, but the investigative tool known as “mail covers.” Mail covers involve copying what appears on the front and back of an item of mail – generally, addresses for a sealed envelope or the contents of postcards or pamphlets. When properly controlled, the tool is an appropriate one for law enforcement and national security investigations, but it carries much the same privacy risks as orders for communications metadata.
- Monitoring of mail through mail covers can give the government a revealing picture of a person’s life, including who among their friends and relatives is thoughtful enough to send a traditional letter or card, the accounts they maintain at banks and other financial institutions, and the organizations on whose mailing lists they belong.
- Mail monitoring will also reveal connections with physician’s offices, which can reveal very intimate information. The name and address of such correspondence can reveal that a person has a condition that requires a specialist, is seeing a psychotherapist, or has obtained an abortion or family planning services.
- Physicians often rely on the mail to meet federal privacy requirements precisely because Internet communications are usually unencrypted and therefore insecure.
- These [the IG’s] findings represent more than a few compliance problems at a large federal agency. They shake our confidence in longstanding principles of privacy and civil 4 liberties that have been a part of the American system since the days of George Washington.
- The compliance incident rate found by the Inspector General – 20% of mail covers approved improperly because of a lack of written authorization, and 13% approved without sufficient justification – are not acceptable.
- As the mail monitoring abuses of the past have demonstrated, vigilance by the postal service is necessary to protecting the rights of the public. The postal service must be a stickler for proper procedure – it cannot afford to be lax, especially when it comes to investigative tools, like mail covers, that require no judicial review or oversight.
- Like the NSA, the USPS can adopt much more rigorous and detailed oversight of its handling of privacy requirements.
- The USPS should fight to make more, not less, information available about national security requests.
- The USPS must be careful to avoid the problems created by the NSA’s bulk collection of telephone metadata. The system for monitoring the outside of mail 11 takes advantage of new imaging software that photographs every letter processed by the USPS. This system effectively facilitates a form of bulk collection of postal metadata.
- History shows, however, that the USPS has not always lived up to the ideals of the nation, or its own ideals, in vigorously protecting the privacy of the mail. These failures were not the result of malice, but of laxity in enforcing privacy requirements. Enforcing these requirements to the letter is the best safeguard against future abuses.
Captain Charles Hamby, Narcotic Enforcement Division Prince George’s County Police Department
- The Prince George’s County Police Department is in support of the U.S. Postal Inspection Service Mail Covers Program.
- Various investigative units within the police department, including but certainly not limited to fugitive apprehension teams and narcotic enforcement units, have utilized mail covers as a supplemental investigative tool to further their cases.
- Mail covers are able to provide assistance to law enforcement agencies conducting criminal investigations by identifying names and addresses of entities, individuals, and locations that are associated with the subject being investigated.
- Fugitive teams utilize mail covers to identify individuals and locations that could lead to apprehension of the wanted subject.
- Narcotic investigations also benefit from mail covers by providing information regarding identification of conspirators, locations and methods used by drug organizations.