There also was a report of a password dumping utility found on two DHS systems. Paller explained that it's malware that steals entire password files from the server and sends them back to a remote hacker. "This would give [a hacker] the ability to crack the system," he noted. "Most people use the same user name and passwords on lots of systems, so that hacker now has access to lots and lots of machines and systems."
Paller, though, said it's highly likely that the worst breaches are the ones that are not being reported.
"If you have a really embarrassing event, you don't want it leaking out," he added. "Many agencies feel it's less of a problem to not tell, than to tell and be beaten up about it."
Both Paller and Rhodes said part of the problem is with the contractors' systems where they say a great deal of sensitive information is stored. "Government systems are about [as secure] as most commercial systems but not as secure as banks," said Paller. "But a lot of government data is less than average because it's stored at contractor sites."
Rhodes said when he went to DHS to look into its security systems, IT workers there had to defer to the contractors to understand what the system was doing.
"Having contractors run the system is not a bad thing," added Rhodes. "But outsourcing is not an abdication of responsibility. Just because you bring the contractors in does not mean you should have an environment where the only person looking in the system is a contractor. To understand how the system was set up and what it was doing, we had to talk to contractors."
"There is a threat and there's also an impact," he said. "They hold personally identifying information. They've got a lot of information about a lot of people, and some of those people are good people and some are bad people. Is this information important to you? Yes, it's important to everybody in the United States. ... Any government agency that has weak security has an impact on the national security mission."