Congressmen Call For More Answers On Lax DHS Security
Two congressmen are questioning the Department of Homeland Security's CIO and CISO about information security in the agency's research arm and in the office that deals with contractors.
After it was revealed last month that the Department of Homeland Security suffered 844 security breaches in a two-year span, two congressmen are prodding the agency's CIO for information on how he plans to fill some gaping holes.
Committee on Homeland Security Chairman Bennie G. Thompson, D-Miss., and Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology Chairman James R. Langevin, D-R.I., both signed off on a letter to DHS CIO Scott Charbo, as well as to Robert West, the agency's chief information security officer, late last week. The letter, which was released to the media, expressed concern over security holes and questioned Charbo about possible breaches within the Office of Procurement Operations and the Directorate of Science and Technology, also known as the S&T Directorate.
The Office of Procurement Operations handles a large percentage of Homeland Security's contractors. The U.S. Government Accountability Office reported a year ago before a House committee that the office lacked the necessary internal controls to successfully oversee interagency contracting activity. And the S&T Directorate is the primary research and development arm of DHS.
In the letter, Langevin and Thompson noted that a recent GAO audit found that there are "significant vulnerabilities" in the department's systems.
"While some department components demonstrated improvement over the previous year, auditors found that most did not measurably enhance their security posture," the letter stated. "During the 2006 IT testing, auditors identified over 200 vulnerable conditions on financial management networks that were in need of mitigation. Though the department closed 44% of those risks, more than 150 new findings were discovered this year."
The congressmen reported that the vulnerabilities included access to key financial applications, misconfigured security controls for financial applications and support systems, and poor application-change control processes.
"The Committee is deeply concerned that the vulnerable conditions highlighted in recent reports by the Inspector General may facilitate espionage on the Department's computers," the letter added.
Langevin and Thompson then asked Charbo and West if there has ever been unauthorized access to any part of the network in the Office of Procurement Operations or the S&T Directorate. They also wanted to know if a hacking tool or password collector had ever been installed on a computer in either of the offices, and if an infected machine ever transmitted information out of the two offices. The congressmen then asked for specific information on seven "incidents" that appear to have occurred in 2006.
They requested that Charbo and West respond no later than Aug. 27.
In June, Charbo was raked over the coals in front of a congressional hearing focused on security breaches at the DHS. The hearing was called to follow up on what has been a series of hearings on the government's cybersecurity. A congressional hearing had been called this spring on a data breach at the U.S. Department of Agriculture, and on April 19 there was a congressional hearing focused on computer break-ins at both the Department of State and the Department of Commerce last summer.
During the June hearing, Thompson concluded his statement by saying, "In light of all of the evidence in front of us, I think the first thing that Mr. Charbo needs to do is explain to us why he should keep his job."
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.