Business & Finance
News
6/21/2007
02:41 PM
Connect Directly
RSS
E-Mail
50%
50%

Feds' Own Hacker Cracks Homeland Security Network

After a heated congressional hearing on cybersecurity Wednesday, two major security players say there may be many more breaches than reported.

Within the past year, a hacker secretly broke into the Department of Homeland Security network and deleted, updated, and captured information -- all without anyone knowing he was even in there.

Luckily, the hacker was Keith A. Rhodes, chief technologist at the U.S. Government Accountability Office. Rhodes, considered to be the federal government's top hacker, has a congressional mandate to test the network security at 24 government agencies and departments. He performs 10 penetration tests a year on agencies such as the IRS and the Department of Agriculture. And for the past year, he's been testing the network at DHS.

"I would label them [DHS] as being at high risk," Rhodes told InformationWeek the day after a congressional hearing into the security of the government agency tasked with being the leader of the nation's cybersecurity. "There was no system we tested that didn't have problems. There was nothing we touched that didn't have weaknesses, ranging from WAN to desktops. ... If we had continued the audit we would have found more. We curtailed the audit because we just kept finding problems. At a certain point, we just ran out of room in our basket."

Rhodes was one of the people who testified before the congressional hearing that took the Department of Homeland Security and its CIO, Scott Charbo, to task for weaknesses in the department's computer network.

Jim Langevin, D-R.I., chairman of the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, said at the hearing Wednesday afternoon that the 844 incidents came during fiscal 2005 and 2006. He also said the infiltration of federal government networks and the possible theft or exploitation of information on them is one of the most critical issues confronting the country, noting that the Chinese have been "coordinating attacks against the Department of Defense for years."

However, Alan Paller, director of research at the SANS Institute, said 844 is most likely only a piece of the security breaches that the department suffered in that two-year span.

"The reality is that the federal agencies don't report all of them," he said in an interview after the hearing. "Eight hundred and forty-four is a big number, but it's a sample of the reality, not the total reality."

Paller said the 844 incidents reported to executives at DHS could be as much as 80% of the real total or as little as 10%. He estimates it's closer to half. "You don't know about all of them. That I can guarantee," he said. "And in particular, you're not knowing about the worst ones."

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.