Can DHS Protect Its Networks?
— -- The U.S. Department of Homeland Security's CIO was on the hot seat Wednesday on Capitol Hill after an independent audit found that a database that screens U.S. visitors lacked security controls.
The chairman of the U.S. House of Representatives Homeland Security Committee called on DHS CIO Scott Charbo to explain why he should keep his job after persistent cybersecurity problems at the agency.
"What happened to leadership?" Representative Bennie Thompson, the committee chairman and a Mississippi Democrat, said during a hearing of the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology. "What happened to accountability?"
Lawmakers also said they were concerned that the agency reported 844 cybersecurity incidents in 2005 and 2006.
"Although we still have a ways to go, we've made measurable improvements in the management of information security at the department," Charbo said. "Certainly, we need to increase our vigilance to ensure that such incidents do not happen again."
Many of the 844 incidents were minor, and the agency has taken major steps to fix past cybersecurity issues, Charbo said. Many of the reported cybersecurity incidents related to problems such as lost laptops that did not result in data breaches, he added.
The subcommittee did not have a breakdown of the incidents Wednesday.
Asked about reports of bots installed on DHS computers that could send information out to hackers, Charbo said he had "no evidence" that the bots caused a breach.
Thompson's comments came as the U.S. Government Accountability Office (GAO) issued a report saying DHS continues to have "significant weaknesses in computer security controls that threaten the confidentiality, integrity, and availability of key ... systems."
GAO investigators found no security controls on the US-VISIT database, the system that screens people who want to visit the U.S. for potential terrorists and criminals. Lawmakers are concerned whether terrorists could get into the database "and change or alter their names to allow them access to this country, and we wouldn't even know that they're doing it," said Representative Bob Etheridge, a North Carolina Democrat.
A contractor provides IT security for US-VISIT, but DHS has its own security controls in place to protect the database, Charbo said. He didn't disclose specific security measures.
The GAO doesn't have evidence that the US-VISIT database was breached, said Keith Rhodes, chief technologist and director of the GAO's Center for Technology and Engineering. "I did not see controls in place that would prevent it," Rhodes said. "I did not see defensive perimeters, and I did not see detection systems in place whether it had or had not [been breached]."
GAO started a cybersecurity review of DHS a year ago, but curtailed its efforts because it kept finding "more and more" problems, Rhodes said. "If we had continued to this day, I would argue we'd still be finding things," he said. "The problems were pervasive. The problems were systemic."
Charbo outlined recent measures DHS has taken to improve cybersecurity there. The agency is collapsing multiple legacy WANs into a single WAN, and it is standardizing all e-mail and directory services onto a single platform, he said. The agency had 13 separate e-mail systems when it was formed out of 22 U.S. agencies in 2002, he said.
DHS also is combining multiple data centers into a shared center, he said.
Thompson asked how DHS officials can preach cybersecurity practices to other agencies and private companies while continuing to have its own problems. Among the incidents DHS reported were employees sending out classified documents on unclassified networks and contractors attaching unauthorized laptops to the DHS network, he said.
"How can the Department of Homeland Security be a real advocate of sound cybersecurity practices without following some of its own advice?" he said. "What the department is doing on its own network speaks so loud that the message isn't getting across to anyone else."