House committee grills DHS on information security

Computerworld - Bennie Thompson, (D-Miss.), the chairman of the House Committee on Homeland Security, joined other committee members in sending a letter to Scott Charbo, the CIO at the Department of Homeland Security (DHS) seeking answers to 13 questions pertaining to information security at the agency.

In the letter, Thompson and other members cited a subcommittee hearing held last month into hacking incidents at the Departments of State and Commerce last year and said they are concerned that similar incidents might be occurring within DHS networks. "These incidents jeopardize the integrity of our government's information," they said in the letter, which was publicly released today.

In their letter, committee members are seeking information on the number of security incidents reported by the DHS to the U.S. Computer Emergency Readiness Team (US-CERT) and the number of cyberattacks that it had suffered between 2004 and 2007. The DHS was also asked to classify the attacks based on their severity, together with a listing of all incidents not reported to the CERT.

Among the 13 questions are a couple pertaining to network penetration testing as well as ingress and egress filtering on personal computers. Also included are questions relating to strong authentication, secure software coding practices and legal requirements relating to security, hosting companies, software developers and other third-parties working for the DHS.

Charbo was also asked about the extent of his direct responsibility for the DHS network as well as the relationships that exist between the CIO, CSO and IT chiefs at DHS component agencies.

The committee's letter follows the April 19 hearing into hacking incidents by foreign hackers at the Departments of State and Commerce. That hearing was designed to raise awareness of the extent to which foreign entities have infiltrated government networks. Security officials at both agencies were required to respond to a set of very detailed questions on the measures they had in place when the hacks occurred, how long they took to detect the break-ins, what measures they had taken to remedy the situation and correctional measures to mitigate similar incidents.

The letter was probably prompted by two issues, said Alan Paller, director of research at the SANS Institute in Bethesda, Md. One of them is that Thompson's committee wants to find out how effective the federally mandated FISMA requirements are in mitigating security risks, he said. The committee also likely suspects that other ageencies have been penetrated and wants to know what types of penetrations have happened and what information might have been lost in such incidents, he said.

"The answer to this one will most likely be classified, but with this letter, the people at DHS will have to disclose the information in a classified session," he said.

Read more about security in Computerworld's Security Knowledge Center.