Committee chairman Bennie G. Thompson, D-Miss., joined committee members in sending a letter to Department of Homeland Security CIO Scott Charbo, requesting information about the security of the department's networks. The letter, which went out Tuesday, poses 13 questions for Charbo to answer.
"These incidents jeopardize the integrity of our government's information," wrote Thompson, along with five other committee members. "We are concerned that similar incidents may be occurring within the networks of the Department of Homeland Security."
During the hearing on April 19, James Langevin, D-R.I., speaking before the House Homeland Security Committee's cybersecurity panel, said he was "disappointed and troubled" about the state of the U.S. government's cybersecurity policies. The two computer break-ins at the Department of State and the Department of Commerce last summer, he said, are very likely deeper and more insidious than even the government has reported.
And Langevin contends that there are more security breaches that the public simply doesn't hear about.
"Let me be clear about the threat to our federal systems: I believe the infiltration by foreign nationals of federal government networks is one of the most critical issues confronting our nation," said Langevin, who is chairman of the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology. "The acquisition of our government's information by outsiders undermines our strength as a nation. ...This is a most critical issue that we cannot afford to ignore any longer."
In Tuesday's letter to Charbo, the committee members ask him what responsibility he has over the department's networks and if he has taken an inventory of access points to the network.
The letter goes on to ask Charbo to provide the committee with the department's incident response plan and to provide a report of how many and what types of incidents have been, or should have been, reported to U.S.-CERT. The committee asks him to provide details of any attacks that happened between 2004 and 2007, which were the most critical, and which ones were not reported.
Has the department conducted penetration tests? Has the department implemented two-factor authentication for privileged personnel and system administrators? How much money has the department spent on meeting Federal Information Security Management Act requirements? These are some of the questions the committee wants answered.
The committee has put a May 21 deadline on getting its questions answered.