WASHINGTON--In response to reports of persistent cybersecurity flaws at the Department of Homeland Security, a top congressional Democrat on Wednesday questioned whether the agency's chief information officer deserves to keep his job.
The department charged with safeguarding the security of the nation's computer systems has not been setting a good example and CIO Scott Charbo hasn't shown he's serious about fixing its vulnerabilities, said Rep. Bennie Thompson (D-Miss.), chairman of the House of Representatives Homeland Security Committee.
"How can we ask the private sector to better train employees and implement more consistent access controls when DHS allows employees to send classified e-mails over unclassified networks and contractors to attach unapproved laptops to the network?" Thompson asked at an afternoon hearing here held by a subcommittee that deals with cybersecurity issues.
He was referring to the Homeland Security department's revelation, as part of an ongoing subcommittee probe into its information security practices, that it experienced 844 security-related "incidents" on its computer systems in 2005 and 2006. Those episodes included unauthorized users hooking up personal computers to government networks, unauthorized software installations, classified e-mails traveling over unclassified networks, suspicious botnet activity, trojans and virus infections, classified data spillages and misconfigured firewalls.
Charbo, for his part, downplayed the lengthy list, saying that they didn't indicate actual penetrations of the system and varied widely in the level of severity. "Those are events that we report on as a data-gathering tool," the IT chief told the politicians, adding that he was confident all breaches considered significant had been addressed properly.
"How can we ask the private sector to better train employees and implement more consistent access controls when DHS allows employees to send classified e-mails over unclassified networks and contractors to attach unapproved laptops to the network?"
--Rep. Bennie Thompson (D-Miss.)
The congressional panel that convened Wednesday's hearing has been probing the extent to which various federal agencies are equipped to handle cyberthreats. At a hearing in April, committee members accused officials at the Commerce and State Departments of being ill-prepared to handle such threats in light of reports of intrusions from Chinese hackers, and they warned that Homeland Security would be undergoing scrutiny next.
Even so, Government Accountability Office auditors at Wednesday's hearing said various components of Homeland Security still aren't doing enough to limit access to their systems, authenticate and identify users, encrypt sensitive data and keep logs of user activity.
The GAO is preparing to release a report based on a yearlong investigation that it says documents "pervasive" security flaws in Homeland Security's US-VISIT program, which is designed to verify the identity of foreigners through fingerprint scans and is currently being used at several U.S. ports of entry.
Keith Rhodes, one of the report's authors, said the GAO found that US-VISIT is riddled with problems "across the board," which, left uncorrected, could put sensitive personal information at risk. The flaws are mostly due to "bad configurations" that could be fixed both easily and cheaply, he said. But because of the deficiencies, there's no way of knowing whether the database associated with the computer systems has already been hacked, he said.
"I did not see controls in place that would prevent (hacking), I did not see defensive perimeters, and I did not see detections systems in place that would let you know whether it had or had not" been hacked, Rhodes told the committee.
Charbo said he and department officials were still reviewing the draft version of that report but were prepared to address the weaknesses by year's end.
On a broader level, Charbo said he realizes the agency has improvements to make but urged the politicians not to overlook what he called "significant progress" during the past few years. For instance, it has "remediated" 7,000 weaknesses identified by auditors and has certified that 95 percent of its systems have appropriate controls in place--compared with only 26 percent in October 2005.
Others questioned whether the department has been dedicating enough of its overall tech budget to security. According to Homeland Security, it spent $12.5 million in 2004, $17.5 million in 2005, and $15 million in 2006 and 2007. Charbo justified those expenditures by saying they reflected "our strategic security plan."
The lone Republican present at the hearing, subcommittee co-chairman Michael McCaul (R-Texas), said he and others were considering introducing legislation that would force Homeland Security to come up with a "national strategic threat assessment" regarding U.S. cybersecurity.
"This has never been done, it's long overdue, and the nation needs this to protect it," he said, adding that he feared a devastating cyberattack could be worse than the "effects of a weapon of mass destruction."
Like the the panel members are qualified to even be discussing this stuff? I'm sure they can hardly select a radio station in their car or set their digital watch and they are evaluating the very complex issue of computer security. What a joke. Yes, It's important and a cyberattack would criple this country easily. Look at Estonia as an example. A few Russian hackers brought the country to a standstill. Congress has proven time and again that they are incapable of oversite but are too busy getting ink to let that bother them.
... perhaps, it will have to be the scenario where like that in the United Kingdom where you have MI5 and MI6, you will have to have the DHS and the CIA combining to address those internal and external security scenarios.
While I would not try to defend the DHS from much needed criticism, perhaps Rep. Bennie Thompson should look closer to home for issues that need immediate attention.
Being ranked 48th out of 50 in the quality of state education is a matter that would seem to be far more pressing.
There always has to be someone blamed for security breaches. Sometimes I think companies hire people just for scapegoats.
If this man's career is at stake a formal investigation should be done before allegations are made about his efforts.
So often we judge after a general opinion and not after true facts. A lot of companies and even Government oganizations still do not see the necessity of professionally maintained information security infrastructure. That is becuase of ignorance.
We must not be ignorant of information security and we should stay ahead of the criminals if we want to win the war on information security.
Top Democrat suggests CIO isn't fit to keep his job amid reports of security-related "incidents. <a class="jive-link-external" href="http://www.versuri32.com" target="_newWindow">http://www.versuri32.com</a>
Chinese authorities have reportedly taken iPads from a third-party retailer, a move apparently brought on by Apple's continued refusal to honor a trademark for the iPad name owned by a Chinese manufacturer.
NY professor believes that a word-based algorithm can help bring together those who believe, with one glimpse, that they have found and lost the love of their lives.
After a higher-than-expected fourth quarter, the video subscription service unburdens itself of a pending yearlong class action suit and settles for $9 million.
Along with green-lighting Google's buy of Motorola, the Justice Department today OKs an Apple-Microsoft-RIM partnership deal to buy Nortel patents, and Apple's plan to acquire Novell patents.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
This week, we pass around Sony's new PlayStation Vita for some hands-on testing, check out HP's newest Beats Audio laptop, and debate the best and worst Valentine's Day gadget gifts.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
Congress has proven time and again that they are incapable of oversite but are too busy getting ink to let that bother them.
While I would not try to defend the DHS from much needed criticism, perhaps Rep. Bennie Thompson should look closer to home for issues that need immediate attention.
Being ranked 48th out of 50 in the quality of state education is a matter that would seem to be far more pressing.
cheers
todd
<a class="jive-link-external" href="http://www.virushackerfreeinanhour.com" target="_newWindow">http://www.virushackerfreeinanhour.com</a>
If this man's career is at stake a formal investigation should be done before allegations are made about his efforts.
So often we judge after a general opinion and not after true facts. A lot of companies and even Government oganizations still do not see the necessity of professionally maintained information security infrastructure. That is becuase of ignorance.
We must not be ignorant of information security and we should stay ahead of the criminals if we want to win the war on information security.
<a class="jive-link-external" href="http://www.foretwander.com" target="_newWindow">http://www.foretwander.com</a>
<a class="jive-link-external" href="http://www.versuri32.com" target="_newWindow">http://www.versuri32.com</a>