WASHINGTON--Politicians from states opposed to the U.S. government's Real ID plan had one message on Wednesday: It's not too late to turn this ship around.
Democratic Senator Jon Tester
(Credit: U.S. Senate)Mark Sanford, the Republican governor of South Carolina, and Jon Tester, a Democratic U.S. senator from Montana, on Wednesday delivered a now-familiar bruising to the controversial national driver's license standards, which they criticized as an unfunded mandate that passed with no formal debate in Congress, posing threats to U.S. citizens' privacy and states' authority.
Now that the U.S. Department of Homeland Security has extended deadlines for all 50 states and the District of Columbia, the rules have essentially been punted to the next administration. That "baton passing" stage is a key opportunity to continue rebelling against the rules, the two politicians told a packed auditorium at an event sponsored by the Cato Institute, a free-market think tank that opposes Real ID.
"With a broad-based group, we can make some changes, but you need to be active, you need to be vocal, you need to be talking to your folks," Tester said.
Tester is one of the sponsors of Identification Security Enhancement Act, which would yank Real ID and replace it with a "negotiated" rulemaking process that was proposed before Real ID was glued onto an emergency Iraq war spending bill that passed unanimously in 2005. At a hearing last week, some senators indicated they'd be pushing for that proposal's enactment into law, although a timeline is unclear.
Sanford, for his part, is worried that many people are "sleeping through" the debate and urged opponents to help awaken them to the problems that he and other state officials see with Real ID. He charged that the plan is "the mother of all unfunded mandates" (with an estimated $116 million price tag for his small state), will force his state's residents to endure long waits at the Department of Motor Vehicles, meddles in states' governing powers, and requires interlinked databases that could offer "one-stop shopping for every computer hacker around the world."
Homeland Security, for its part, argues that more secure driver's licenses and identification documents are necessary to prevent terrorists, identity thieves, and illegal immigrants from committing wrongdoing, and it views Real ID as a pathway to that end.
The department has always characterized Real ID as voluntary, but when the rules kick in, state residents won't be able to board airplanes or enter federal buildings unless they present without a compliant identification card, driver's license, or U.S. passport. The first wave of requirements were originally supposed to kick in May 11, but any potential airport chaos has been postponed until at least the end of next year: The agency has since opted all 50 states and the District of Columbia deadline extensions for beginning to come into compliance with Real ID--whether they requested them or not.
South Carolina Gov. Mark Sanford
(Credit: South Carolina Governor's Office)South Carolina is one of eight states that has passed legislation prohibiting implementation of Real ID--and it also falls into the category of states that vowed to stick by that position, Sanford said. (Ten other states have passed resolutions opposing Real ID, and two more--Arizona and Alaska--may be joining the rebellion soon.)
In late March, Sanford sent a letter (PDF) to Homeland Security Secretary Michael Chertoff, in which he said he could not authorize the state to comply with Real ID and outlining a list of concerns with the policy. The governor recounted receiving a "bizarre" response: an effectively unsolicited deadline extension.
Sanford suggested he'll continue to uphold his state's law rejecting Real ID and indicated Homeland Security's behavior is nothing more than politics as usual. "There's a real tendency in the political process to kick the can," he said. "Everyone wants to have a reasonably good day. The idea of having a meltdown on a policy or proposal that you're responsible for is not exactly an idea of a good day."
The U.S. government has been keeping watch from space for almost 50 years, starting with the Corona program overseen by the National Reconnaissance Office. In September 1967, a Corona camera in orbit took this picture of the Pentagon.
(Credit: National Reconnaissance Office)WASHINGTON--A plan to expand the number of government police and security agencies that can tap into detailed satellite images is proceeding, despite concerns from Congress, the head of the U.S. Department of Homeland Security said Wednesday.
During a roundtable discussion with bloggers and journalists here, Secretary Michael Chertoff said a "charter has been signed" to create a new office, which will serve as a clearinghouse for requests from law enforcement, border security, and other domestic homeland security agencies to view feeds from powerful satellites. It will be called the National Applications Office.
"I think the way is now clear to stand (the office) up and go warm on it," said Chertoff at Homeland Security's headquarters here.
Right now, these spy satellites are more commonly used for things like monitoring volcanic activity, hurricanes, floods, and various environmental and geological shifts. But the agency has said it sees important applications for the images in other areas within its purview, such as terrorism investigations and illegal immigration busts.
Originally, the but those plans were delayed after congressional Democrats raised privacy concerns. They said they wouldn't be able to support the program until the agency lays out exactly what legal framework it will be using to fulfill requests by, say, state and local police, and how it will protect Americans' civil liberties.
Chertoff said Wednesday that the department has completed the privacy impact assessments for the new office and should be releasing them within a few days. He said that members of Congress have received briefings and that he thinks there's a "good process in place to make sure there aren't any legal transgressions."
This photo shows the Soviet Union's Dolon Air Field in August 1966. The NRO calls Corona the "first operational space photo reconnaissance satellite."
(Credit: National Reconnaissance Office)In the past, Homeland Security officials have downplayed the implications of allowing more agencies to access the satellites, arguing that in addition to scientific applications, the technique has already been employed from time to time by the Secret Service and FBI. For instance, when a well-publicized series of sniper attacks swept through the Washington, D.C., area in October 2002, the CIA and FBI were permitted to use images provided by the National Geospatial Intelligence Agency to look for places snipers might hide along highways along the east coast.
"I think we have fully addressed everybody's concerns," Chertoff said Wednesday. "We've made it clear this is not going to be interception of communications, verbal or oral or written. That's still going to be done under the traditional way."
The Homeland Security secretary, however, may not have that easy a time persuading congressional overseers.
Within the next few days, Reps. Jane Harman (D-Calif.) and Christopher Carney (D-Penn.), who lead Homeland Security subcommittees, are planning to send Chertoff a letter that says the new scheme still isn't ready for launch, a Democratic aide to the U.S. House of Representatives Homeland Security Committee, which oversees the department, told CNET News.com on Wednesday.
Committee leaders say the charter for the National Applications Office is "wholly inadequate," said the aide, who spoke on condition of anonymity since the letter is still being drafted. They plan to criticize the department for allegedly failing to outline the legal framework and other "standard operating procedures" governing the program.
Furthermore, the Government Accountability Office has not yet vetted the program's privacy guidelines, which was made a condition for the National Applications Office to receive congressional funding, the aide said.
On cybersecurity
Also at the roundtable discussion, Chertoff attempted to defuse concerns that Homeland Security's cybersecurity arm plans to "sit on the Internet," as he put it, and monitor traffic in a manner reminiscent of the Chinese government.
As part of its efforts to detect network intrusions in real time, Homeland Security has said it plans to expand use of an existing system known as Einstein, that will, among other things, monitor visits from Americans and foreigners visiting .gov Web sites. The set-up is in place at 15 federal agencies, but Chertoff has asked for $293.5 million from Congress in next year's budget to roll it out governmentwide.
In addition to outfitting federal networks with those tools, Chertoff said the government also plans to help companies to fend off cyberattacks by offering some of its "classified" intrusion detection tools--but such aid will be purely optional.
As for the department's broader strategy, "in some ways, it's more and better of what we're doing," Chertoff said. "In some cases, it may involve some additional things I can't talk about."
In addition, Chertoff spoke about the Real ID Act and the department's May 11 deadline--see our separate story.
At U.S. Secret Service headquarters, numerous companies, and state and international government offices this week, computer security types have been forced to fend off hundreds of potentially crippling cyberattacks.
No need to worry, though--at least this time around, no actual networks were harmed in the process.
It was all part of the Department of Homeland Security's second iteration of Cyber Storm. The weeklong, congressionally mandated exercise is designed to test the readiness of government and business officials if confronted by cyberthreats to critical networked services, from transportation systems to the electrical grid to chemical plants.
This time around, the mock attack involved officials from 18 federal government agencies, four foreign countries (Australia, Canada, New Zealand, and the United Kingdom), nine states, and more than 40 companies (among them: McAfee, Microsoft, Cisco, Dow Chemical Company, Juniper Networks, and Wachovia).
Homeland Security is hailing the exercise as the largest-ever simulation of its kind, with a significant uptick in the number of "incidents" lobbed at participants. That may be true, but since it's also only the second such activity of its kind, it seems only logical that its scale would grow over time.
Participants this year have had to contend with nearly 2,000 "injects," ranging from hacker intrusions and amped-up denial-of-service attacks, with intentionally misleading intelligence information thrown in just to make things even more difficult, according to DHS officials' interviews in other published reports.
Cyber Storm I, which played out over a week in February 2006, involved seven federal agencies, more than 30 companies, and the same five countries. At the time, it was called the "most complex multinational, cross-sector cyber exercise to date" and involved coordination among people in 60 different physical locations.
A fairly general report on Cyber Storm I (PDF) spotlighted a number of remaining challenges, such as an insufficient number of "technical experts" on board to decipher loads of information pouring in; difficulties figuring who to call within organizations to seek help during crises; and lack of a "triage" plan for cyber incidents.
But we probably won't know for quite awhile exactly what the Cyber Storm II exercise looked like or how well the responses to incidents held up.
After all, it wasn't until nearly two years after Cyber Storm I that the Associated Press was able to obtain a portion of heavily censored internal files that shed some light on the scenarios. Fake catastrophes ranged from downed New York seaport computers, to bloggers revealing locations of railcars with hazardous materials, to airport control tower disruptions in Philadelphia and Chicago.
WASHINGTON--A new Bush administration plan to capture and analyze traffic on all federal government networks in real time is generating privacy worries from congressional Democrats and Republicans alike.
At a hearing convened here Thursday by the U.S. House of Representatives Homeland Security Committee, politicians directed pointed questions to Department of Homeland Security officials about their plans to expand an existing "intrusion detection" system known as Einstein. Among other things, the system will monitor visits from Americans--and foreigners--visiting .gov Web sites.
Einstein, which DHS calls an "early warning system" for cyber-incidents, is described in a Homeland Security document from September 2004 as "an automated process for collecting, correlating, analyzing, and sharing computer security information across the federal civilian government." It's still only in place at 15 federal agencies, but Homeland Security Secretary Michael Chertoff requesting $293.5 million from Congress in next year's budget to roll it out government-wide.
The round-the-clock system captures traffic flow data, which currently includes source and destination IP addresses and ports, Internet Control Message Protocol data, and the length of data packets. According to an internal 2004 privacy impact assessment (PDF), "the program is not intended to collect information that will be retrieved by name or personal identifier." Members of the U.S. Computer Emergency Readiness Team, which coordinates federal responses to cyber attacks, analyze the downloaded records once per day in hopes of detecting worms and other "anomalous activity," pinpointing trends, and advising agencies on how best to configure their systems.
Homeland Security says the setup has helped reduce the time it takes for agencies to share such data from four to five days to four to five hours. The next step is to hire more analysts and enable the analysis to occur in real time, DHS says.
Beyond that, it's not exactly clear what will change, including whether the system will gather more information than before, or what will be done with it. But some politicians said they're already apprehensive about the new plans.
"I encourage you to try to find something beyond Einstein that's going to be focusing on bad guys, not just focusing on the general public but finding some way to protect the privacy of American citizens," said Rep. Paul Broun (R-Ga.).
Rep. Jane Harman (D-Calif.) criticized the department on one hand for treating cyber threats with sufficient urgency--a common refrain from members of both parties ever since the sprawling government agency's inception. But she also questioned the new approach being offered.
"I can assure you constituents of mine listening to this hearing are thinking about this as the government sets up a new spy network," she said. "What would you advise me to tell my constituents (who want to know) how I'm going to stop this latest government spy network?"
Homeland Security under secretary Robert Jamison presides over an agency division that's responsible for coordinating all federal cybersecurity activities.
(Credit: U.S. Department of Homeland Security)Robert Jamison, a Homeland Security undersecretary whose division oversees cybersecurity activities, declined to talk specifics, saying details must be reserved for a classified session.
"We have privacy and civil rights folks involved in this," he said. "We're in the process doing a privacy impact assessment for the new capability as we move forward."
Government agencies are required by law to produce such a report whenever they're planning to use a new technology that could involve collection of personally identifiable information. The goal is to ensure that no information is collected, stored, or accessed either unnecessarily or unlawfully.
The fact that Homeland Security officials are drawing up a new privacy impact assessment for the expansion of the Einstein project would seem to indicate they're considering gathering additional information, although it was unclear after Thursday's hearing whether that's the case.
Jamison, for one, claimed Einstein's new capabilities will be "no different" from those in commercial products used to detect worms or other malware. He indicated, however, that the government has no intention of scaling back the scope of its network monitoring.
"Adversaries are very adept at hiding their attacks in normal traffic--normal, everyday traffic that comes across the network that very well could be disguised and could be malicious," Jamison told the committee.
Einstein is just one part of Homeland Security's attempts to revamp its cybersecurity reputation. It's also working with the Office of Management and Budget on a project that would reduce the number of points at which all federal agency networks connect to the Internet--which right now numbers around 4,000--and thus encounter vulnerabilities from outside their realms.
Whenever a system monitors users' communications, privacy concerns naturally arise, said James Lewis, who runs the technology policy wing of the Center for Strategic and International Studies, a Washington think tank, and is working with members of Congress to devise cybersecurity policy recommendations for the next president. In this case, however, he said he didn't see any reason to be alarmed about Einstein quite yet.
"For Einstein to really affect privacy, you'd need to monitor and collect the communications, store them, and analyze them (e.g. have somebody actually read the content)," he said in an e-mail interview after Thursday's hearing. "I'm told that DHS won't store Einstein data and won't be analyzing it, which greatly reduces any risk to privacy."
Committee leaders warned that they'd be watching closely to see whether the plans pan out.
"It's hard to believe this administration now believes it has the answers to secure our federal networks and critical infrastructure," said Committee Chairman Bennie Thompson (D-Miss.).
The Electronic Frontier Foundation and the Asian Law Caucus are suing the Department of Homeland Security over aggressive searches and seizures of travelers' property and information at U.S. borders.
As reported on BoingBoing:
ALC, a San Francisco-based civil rights organization, received more than 20 complaints from Northern California residents last year who said they were grilled about their families, religious practices, volunteer activities, political beliefs, or associations when returning to the United States from travels abroad. In addition, customs agents examined travelers' books, business cards collected from friends and colleagues, handwritten notes, personal photos, laptop computer files, and cell phone directories, and sometimes made copies of this information. When individuals complained, they were told, "This is the border, and you have no rights."
"When the government searches your books, peers into your computer, and demands to know your political views, it sends the message that free expression and privacy disappear at our nation's doorstep," said Shirin Sinnar, staff attorney at ALC. "The fact that so many people face these searches and questioning every time they return to the United States, not knowing why and unable to clear their names, violates basic notions of fairness and due process."
NPR's Morning Edition broadcast a segment on this story this morning. The Department of Homeland Security is vigorously defending its right to search and seize at the border, and is supported by legal precedent. The segment suggested that travelers' best option was to bring only essential information along on international trips.
I feel like ordinary American citizens are having to become like Jason Bourne, buying the cell phone, making a call and then throwing it away. A more practical suggestion may be that if you are upgrading a laptop, you may want to keep the old one in stripped-down form for travel. But it would be ironic and sad to leave the light, little MacBook Air at home on the desk while you carry a clunkier model with you.
It will be interesting to see if sensible consumer solutions to this problem spring up, and how they can be marketed without sounding "unpatriotic." Let's face it: just because we have nothing to hide doesn't mean we want to have our lives uploaded to government servers. There must be a way to create a "travel" profile on one's laptop or PDA that doesn't unnecessarily expose all of your contact information to surveillance. Some version of backing up the information before you leave, stripping the laptop to bare bones, and then restoring it after you return home.
WASHINGTON--Some critics of the U.S. government's cybersecurity efforts might argue that nothing short of a bomb going off--or, well, purported Chinese cyberattacks on feds' machines--will land the issue more notice.
Without tougher security standards, Americans are in danger of hacker-induced blackouts, some politicians say.
(Credit: Declan McCullagh/mccullagh.org)This time around, the wake-up call for politicians was, indeed, an explosion: In September, U.S. Homeland Security officials revealed that researchers at the Idaho National Laboratory had managed to destroy a small electrical generator through a simulated cyberattack. A few weeks ago, CNN aired a gloom-and-doom segment featuring snips from the once-classified video showing the device going up in smoke.
Although the prospect of that sort of incident causing massive disruption to the U.S. electrical grid , the success of the experimental hack is drawing new calls from Congress for tougher federal security standards on the computer systems that control the nation's power systems.
"I'll be blunt--if this administration doesn't recognize and prioritize these problems soon, the future isn't going to be pretty," said Rep. Jim Langevin (D-R.I.), chairman of a House of Representatives cybersecurity panel that convened a hearing here on the topic Wednesday afternoon.
It's widely agreed that the threats to so-called "control" systems--sometimes known by the acronym SCADA, short for "Supervisory Control And Data Acquisition"--have grown in recent years. That's because more and more of them are being hooked up to "open" networks, including corporate intranets and the Internet, in an effort by their owners and operators to improve efficiency and lower costs.
But there was never much focus on the idea of building security features into those systems when they were first created, and that trend, unfortunately, continues today, said Joseph Weiss, a consultant and nuclear engineer who spent more than 30 years designing, implementing and analyzing control systems.
Feds: We're on it
Government regulators, for their part, say they are growing increasingly aware of those shortcomings and working valiantly to address the problem. Homeland Security's cybersecurity czar, Greg Garcia, told politicians Wednesday that his agency is handing out cybersecurity self-assessment guidelines to control systems operators, offering training to workers in that sphere, and distributing recommended "mitigations" against real-world attacks like the one simulated in Idaho.
And right now, the Federal Energy Regulatory Commission (FERC), which is responsible for overseeing the reliability of the nation's power systems, is considering proposed rules that purport to strengthen cybersecurity standards for the nation's power systems.
That proposal, however, falls woefully short of offering sufficient protections, Langevin and his Democratic and Republican colleagues said in comments filed recently with FERC. One major problem: The proposed rules are written in such a way that they would not even require electric grid operators and owners to install comprehensive security measures on all critical pieces of their systems that, if compromised, could cause significant disruptions, they argued. Instead, they'd have some latitude to focus only on certain components and neglect others.
The politicians are urging FERC to incorporate some of the more comprehensive, stringent standards developed by the National Institute of Standards and Technology, which is considered home to the government's technical experts.
Weiss, the consultant, argued that the infamous blackout that pummeled the Northeast in August 2003 (and was reportedly linked to the so-called MSBlast worm) arguably wouldn't have been prevented by the proposed regulations, but the NIST rules are comprehensive enough to deal with that issue.
Some suggested that the rules may not be up to par because, as required by law, they were devised chiefly by a group called the North American Electric Reliability Corporation (NERC), which was long considered the trade association for the power industry and was recently given legal authority to propose regulations for federal regulators to approve. An entity with those potential conflicts of interest isn't necessarily well-positioned to come up with objective standards, and it's high time for Congress to create a more independent means of devising critically important cybersecurity rules, Weiss said.
Rep. Zoe Lofgren (D-Calif.) appeared sympathetic to that idea and suggested that Homeland Security's cybersecurity division should be granted more authority to help out. "I don't think the energy sector is necessarily the expert on cybersecurity," she said.
NERC Executive Vice President David Whiteley said his organization was open to revising the proposed rules, while Joseph McClelland, director of FERC's Office of Electric Reliability, acknowledged that further improvements should be made before the rules gain final approval.
Although the electric grid was the primary focus Wednesday, threats to the control systems that deal with myriad other types of utilities could also prove, how shall we say, messy.
After all, the first prominent recorded incident of such an act came in 2000, when a software developer in Australia, apparently miffed after being turned down for a government job, used stolen radio equipment to hack into a system controlling a sewage plant. On nearly 50 occasions, he sent malicious code that opened control valves, causing refuse to ooze into nearby rivers and parks.
WASHINGTON--The U.S. government's cybersecurity czar on Monday called on those in the know to become "ambassadors" of the protect-thy-computer message to the masses.
Greg Garcia, DHS cybersecurity chief
Greg Garcia, assistant secretary for cybersecurity and communications within the Department of Homeland Security, said it's critical for everyone to take cyberrisks seriously, in hopes of meeting his department's ultimate goal: making the United States "the most dangerous place in the real world for cybercriminals to do business."
Welcome to the fourth annual National Cybersecurity Awareness month, the government's designated time for drumbeating how much it cares about apprehending cybercrooks, keeping your own data under wraps and pressuring others to treat it with care as well. That's no small task, as Homeland Security in particular has drawn criticism for years--and as recently as a few months ago--from politicians concerned the agency chiefly responsible for coordinating the nation's response to cyberincidents hasn't been doing a good enough job at it.
Garcia spoke at the inaugural National Cybersecurity Awareness Summit, a daylong event put on here by a non-profit partnership of federal government agencies and software vendors like Microsoft, McAfee, Symantec and Computer Associates.
But his pep talk wouldn't have been complete without the prognostications of doom and gloom evoked so often in this space. In this case, Garcia said the number of cyberincidents reported to the U.S. Computer Emergency Readiness Team (US-CERT) has been growing ever since the clearinghouse for tracking and managing security incidents was established in 2003, and the report tally is likely to continue to rise. That's not necessarily because the raw number of attacks or other malicious events is climbing, though--it may just be because more people are becoming aware of US-CERT's services.
Within the federal government, Garcia said he's aiming to get all cabinet-level agencies hooked up by the end of next year to a system known as Einstein. It's the first tool that has allowed agencies to watch in real time over traffic patterns at their network gateways in an attempt to spot worms or other unwanted presences. The 13 federal agencies currently using the tool have been able to report problematic sightings to US-CERT within four to five hours, rather than four to five days, Garcia said.
Homeland Security is also preparing to release a document outlining essential skills that IT security professionals need and to stage another mock cyberattack, known as Cyber Storm 2, next March. As with the first exercise conducted last year, it's intended to test the readiness and potential responses of various government and private sector entities should a massive cybercatastrophe strike.
But ultimately, securing cyberspace depends on each computer user taking on a measure of "personal responsibility," Garcia said. He urged people to bone up on the educational materials available at Web sites like OnGuardOnline.gov and StaySafeOnline.org and to encourage others to do the same.
A congressional committee is once again questioning the U.S. Department of Homeland Security's ability to detect and fend off cyberattacks, as a recent investigation has turned up evidence of Chinese-linked hacking incidents on internal computers last year.
According to the results of a recent U.S. House of Representatives Homeland Security investigation described in a letter released Monday (PDF), "dozens" of computers on networks at the sprawling cabinet department's headquarters were "compromised by hackers" last year. The intrusions involved planting malicious code that cracked network administrator passwords, masked signs of intrusion and beamed back information to "a Web hosting service that connects to Chinese Web sites."
Excerpt from the House panel's letter to DHS Inspector General
That style of attack is reminiscent of
The letter pinned at least some of the blame on an outside contractor that failed to deploy the necessary "network intrusion detection systems" and attempted to hide "security gaps in their capabilities."
That contractor, Unisys Corp., is now under investigation by the FBI for alleged criminal fraud, according to the The Washington Post, which first reported the Friday letter in a story published Monday morning.
But the letter, signed by Rep. Bennie Thompson (D-Miss.), who leads the Homeland Security Committee and Rep. James Langevin (D-R.I.), who leads a cybersecurity panel within that committee, also faulted Homeland Security officials. The committee leaders accused the department--and particularly its chief information officer--of downplaying the potential for serious cyberintrusions and providing "misleading" responses to the congressional panel's requests for information about reported incidents. They asked Homeland Security Inspector General Richard Skinner to conduct his own investigation into the matter.
Unisys, for its part, told the Post that it hadn't yet been informed of any criminal investigation against it. The company also denied failing to install the proper number of network intrusion tools and said it even continued deploying the monitoring services after Homeland Security, citing lack of funding, stopped paying for them.
Homeland Security representatives, meanwhile, told the Post that Unisys' version of the story was "entirely baseless and disingenuous" and suggested the firm may not be awarded contracts in the future. The agency also denied withholding any information from congressional investigators, with a spokesman saying department officials are "aware of, and have responded to, malicious cyberactivity directed at the U.S. government over the past few years."
A new report by the U.S. Government Accountability Office charges that the Department of Homeland Security used biased methods to enhance performance results in tests on a new generation of radiation detectors meant to protect U.S. ports.
At stake are $1.2 billion in contracts to produce advanced spectroscopic portal (ASP) monitors and thousands of lives should they fail to work.
Experts from four national laboratories were consulted prior to publication of the report (PDF) by the GAO, the nonpartisan audit and investigative arm of Congress, which was released yesterday.
(Credit:
Domestic Nuclear Detection Office)
The agency found that the DHS' Domestic Nuclear Detection Office "used biased test methods that enhanced the performance of ASPs." Specifically, it conducted preliminary tests and then allowed contractors access to the results, which they then used to adjust systems accordingly.
It is "highly unlikely that such favorable conditions" would be found in a real-world situation, the GAO report deadpanned.
Portals in use today detect radiation but cannot distinguish between different types. This leads to expensive and time-consuming delays at ports of entry when customs officers respond to false alarms, according to the Domestic Nuclear Detection Office. To remedy this, DHS sponsored research on new technology to enhance detection capabilities at the nation's ports. In 2006, it awarded contracts to three companies based on performance tests in Nevada the previous year: Raytheon, Thermo Electron and Canberra Industries.
The GAO, however, was not convinced that any "additional detection capability provided by the ASPs was worth the considerable additional costs." The accounting agency found that the DHS had no sound basis for spending taxpayer money and "relied on assumptions of anticipated performance instead of actual test data." It recommended further testing and a rigorous cost-benefit analysis.
It wasn't the first time that problems had been found in the procurement process. In a March 2007 report (PDF), the GAO concluded that DHS' decision to procure and deploy the new equipment was not supported by the cost and suggested that the department come up with some "objective" assessments of ASP capability.
The question was whether the new equipment, at six times the cost of current models, was better able to detect radiation through different masking materials, such as a lead. The GAO charged that the Domestic Nuclear Detection Office did not test portal limitations or make any effort to replicate the material that would be used to mask a radiation source from detection, a "critical oversight in DNDO's original test plan." Instead, the detection office is attempting to get off the hook by substituting what are essentially computer simulations that are not comparable with "actual testing with nuclear and masking materials," according to the GAO.
The GAO recommended that production of the new portal monitors be delayed until the DHS provides a "sound analytical basis for its decision to purchase and deploy the new technology."
WASHINGTON--Homeland Security Secretary Michael Chertoff on Wednesday largely dodged questions from a congressional committee about the department's cybersecurity operations, including whether its computers have ever faced attacks from Chinese hackers.
Michael Chertoff
During wide-ranging testimony before the U.S. House of Representatives Homeland Security Committee here, Chertoff devoted only a few sentences to his department's charge of protecting the nation's computer systems from attack. He claimed he couldn't get into many of the details because of their "classified" nature.
"I can assure you we are working with other elements of the federal government and giving the highest priority to putting together an enhanced strategy with respect to cybersecurity," he told the politicians.
DHS has been publicly blasted by Congress and government auditors in the past for failing to live up to their expectations in the cybersecurity realm. At a hearing in June, members of the same committee attacked the department's chief information officer over reports of 844 security-related "incidents"--granted, many of which were not particularly serious and did not indicate actual intrusions--on its computer systems in 2005 and 2006.
The Homeland Security chief, who's rumored to be in the running for Attorney General Gonzales' soon-to-be-vacated post, didn't divulge much more under subsequent questioning at Wednesday's event from Rep. Jim Langevin (D-R.I.), who leads a cybersecurity subcommittee. In light of recent reports, which were later denied by the Chinese government, that Chinese hackers penetrated Department of Defense computer systems, Langevin asked Chertoff to reveal whether DHS computers have "ever called home to Chinese servers" or whether he knew of Chinese hackers breaking into those systems. (China was also believed to be the source of attacks on Commerce Department computers last year.)
Chertoff never directly answered the questions, saying, "this is the area which is heavily intertwined with classified information."
The purpose of the hearing, at which the DHS chief was the sole witness, was to assess "security gaps" at the agency. Democrats presented Chertoff with a "to-do list" for the remainder of his term and chided him for missing deadlines for certain administration programs. Yet some nonetheless voiced respect for his work so far and said they'd hate to see him leave the department, say, for the attorney general post.
The Homeland Security chief's response was fairly noncommittal. He said he's "happy to continue to do this job up until the very last day of the administration," that is, unless the president decides otherwise.
