Congress grills Homeland Security CIO Charbo on department's security controls
The top IT official of the U.S. Department of Homeland Security (DHS) faced the music Wednesday when a Congressional subcommittee grilled him on how well the department could fend off a cyberattack, especially in light of a critical government audit and findings that the agency charged with protecting the United States from terrorists suffered 844 cybersecurity "incidents" in 2005 and 2006.
Those incidents — which ranged from lost laptops to malware-infected PCs to confidential emails being sent over unclassified channels — never "pointed back to being an orchestrated attack," DHS Chief Information Officer Scott Charbo told the House Subcommittee on Emerging Threats, Cybersecurity and Science and Technology.
A separate audit conducted by the Government Accountability Office (GAO), which reviewed DHS’s Customs and Border Control security measures, identified 45 weaknesses and offered some 56 recommendations.
Gregory Wilshusen, director of information security issues for GAO, testified that key DHS systems did not properly identify users, protect boundaries, implement physical security protection or adequately log events. This posed a risk that could allow internal or external attackers to gain access to confidential information or to disrupt service.
Rep. Bennie Thompson, D-Miss., chairman of the House Homeland Security Committee, said DHS is not serving as a strong example for other organizations.
"How can the DHS be a real advocate for sound cybersecurity practices without following some of its own advice?" he said, questioning the leadership ability of Chabot, CIO since June 2005 and former CIO of the U.S. Department of Agriculture.
Chabot defended his agency, saying the department has taken a number of steps to improve its security posture, including collapsing its multiple wide-area networks into a single WAN and fully encrypting traffic, standardizing all email and directory services into a single secure framework and consolidating multiple legacy data centers into a centralized system.
He added: "You don’t know what you don’t know."
But subcommittee members were not sold on the progress. Rep. Jim Langevin, D-R.I., cited recent reports of Chinese hackers attacking Department of Commerce and several state department databases. But Charbo said he was never briefed on hackers infiltrating DHS networks.
"Do we experience scans from other countries?" he said. "We believe so…but they’re not attacks."
Keith Rhodes, chief technologist at GAO, said the agency’s audit did not turn up any evidence of a hack, but he said he "did not see controls in place that would prevent it," or "systems in place that would let you know whether it happened."
"My concern is that I don’t think people understand the virtual and physical world are intersecting every day," he added. "I fear we cannot secure systems holding information because we don’t understand the value of that information. When the power grid [becomes] completely automated, when the oil and gas [infrastructure becomes] completely automated, we will have a very serious problem on our hands because we do have opponents and they’re dedicated."
Charbo also was criticized for his handling of DHS cybersecurity spending. Rep. Bob Etheridge, D-N.C., said the department’s budget has risen by a quarter over the past few years, but cybersecurity spending has slipped. Charbo said IT spending — about seven percent of the annual budget — was above industry average.
Meanwhile, Rep. Michael McCaul, R-Texas, during his opening remarks, said he plans to propose legislation calling for a "strategic national threat assessment" to evaluate the nation’s cybersecurity.
"This has never been done and it’s long overdue," he said. "And the nation deserves it, and the nation needs this to protect it. I believe an attack on information infrastructure could be worse than the effects of a weapon of mass destruction, and I hope [DHS] would take it just as seriously."
Get more IT security news. Click here for SC Magazine Blogs.