Rep. Bennie G. Thompson, D-Miss., chairman of the House Committee on Homeland Security, and Rep. James R. Langevin, D-R.I., chairman of the House Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, sent a letter Friday to Richard L. Skinner, DHS inspector general, indicating DHS systems are being attacked by hackers based in other countries. The letter alleged that the networks are at risk because of "incompetent and possibly illegal activity" by a major IT security consulting firm.
The congressmen did not identify the contractor, but a report on Monday in the Washington Post indicated that the FBI is investigating Unisys, which has a $1.7 billion contract with the DHS.
The FBI is reportedly investigating Unisys for failing to detect cyberattacks linked to a Chinese-language website, then trying to cover up the breaches. The Post also reported that in 2002, Unisys won a $1 billion deal to deploy and securely manage the IT networks of the Transportation Security Administration (TSA), a division of the DHS.
"The infiltration of federal government networks by unauthorized users is one of the most critical issues confronting our nation, but it's hardly a new threat," Thompson and Langevin wrote. "For years, these attacks have resulted in the loss of massive amounts of critical information. Cyber-espionage is an issue of national security, and we must improve our defensive posture to prevent the theft of data or the compromise of the integrity of our data."
The congressmen noted that intruders moved information from the compromised computers to a web-hosting company with ties to Chinese websites. Langevin and Thompson also alleged that the DHS contracted with Unisys to install network intrusion detection systems that were not fully deployed during the incidents.
In their letter, Langevin and Thompson also noted that the Committee on Homeland Security was notified that password-theft malware and malicious code were discovered on more than 12 computers at DHS headquarters. The congressmen said the computers could still be compromised because of the contractor's "insufficient mitigation efforts."
Unisys released a statement on Monday saying it “vigorously disputes the allegations” in the Post article, "but federal security regulations preclude public comment on specific incidents.”
“We can state generally that the allegation that Unisys did not properly install essential security systems is incorrect. In addition, we routinely follow prescribed security protocols and have properly reported incidents to the customer in accordance with these protocols,” Unisys said in a statement. “We are proud of our work and believe it has significantly strengthened the integrity and performance of the agency's information infrastructure in the difficult years following Sept. 11, 2001.”
The break-ins point to a "lack of a complete set of preventable controls [within contractor networks],” Sachin Nayyar, CEO of Vaau, an identity management vendor, told SCMagazineUS.com.
“Organizations must review firewall and IDS rules on a regular basis," he said. "They must review event logs from application and database servers to check for events that are creating alerts that someone is trying to access this sort of information."