IT Confidential: National Cybersecurity: It's, Like, A Vested Interest

To: Scott Charbo, CIO, Department of Homeland Security

Re: Last week's letter from Rep. Bennie Thompson, D-Miss., chairman, Committee on Homeland Security

Scott: My first piece of advice is--chill. Go for a drive in Virginia, kick back, put on a little Dave Matthews or John Mayer. Don't take it personally; these things happen in business. Actually, you're in government, I know, but it's the same thing, right?

When I read a copy of the letter last week from Thompson and those dudes over at the House Committee on Homeland Security, my first thought was, man, I've gotten letters like that. Well, not letters, really, mostly E-mails. In fact, I didn't know people still sent letters--don't they take, like, a long time to arrive?

That was some pretty harsh stuff the committee chairman laid on you. "What responsibility does the Chief Information Officer have over the networks of the Department of Homeland Security?" OK, so maybe that's a legit question. But this: "Please explain your relationship to the Chief Information Security Officer, as well as the Chief Information Officers and Chief Information Security Officers of the Department's component agencies." Hey, you're not asking him to explain his internal politics. And I mean politics like office politics, not politics politics.

All this because a couple of foreign hackers broke into computer systems at the State Department and the Commerce Department last summer. Not that I don't appreciate the seriousness of those incidents, as I'm sure you do. But hey, those didn't happen on your watch, am I right?

Speaking of which: "Please provide a report on how many and what types of incidents have been reported to US-CERT by agencies within the Department of Homeland Security." You know what they say: Confession is good for the soul.

Bennie was a bit snippy in some of his requests: "Does a complete network topology diagram exist? If so, please provide that diagram." I can relate: Just because you can't lay your hands on something right away doesn't mean it doesn't exist. And this: "Has the Department mandated two-factor authentication for all privileged personnel and system administrators? If not, why not?" Ouch. Since when did politicos get tech savvy?

Still, the dude from Mississippi might have a point. Maybe it's time to take a hard look at network vulnerabilities in government systems and do something about them. Homeland Security's not a bad place to start.

Bennie's not letting you off the hook too easy, though, is he? "Has the Department taken an inventory of each access point to its network (e.g., every connected device, wireless device, remote device, etc.), both inside and outside of the firewall, in order to identify points of vulnerability?" With 184,000 employees, that's a lot of vulnerability points. "What legal requirements are the Department's hosting companies, data warehouses, software developers, or applications service providers contractually obligated to fulfill regarding security?" Time to dig out those SLAs, huh?

I hope you don't mind if I float some advice. There's a lot of network security expertise in the private sector. I know some people who know some people, and I'm sure they'd be willing to help out in any way they can. We all have a vested interest in national cybersecurity, you might say. Just let me know if you want me to hook you up.

PS: If you've got a line on Redskins tickets, or an industry tip, send it to [email protected] or phone 516-562-5326.

Rob Preston's column will return next week.