House panel blasts DHS CIO for security failures
The subcommittee also questions Scott Charbo's ability to handle his job
Computerworld - A House subcommittee investigating cybersecurity vulnerabilities at the U.S. Department of Homeland Security yesterday blasted the agency's CIO for his alleged lack of leadership on key security issues. Subcommittee members also questioned DHS CIO Scott Charbo's willingness to make needed security fixes and his ability to head the agency's IT operations.
Charbo rebutted the charges, saying that much of the criticism was based on outdated data that ignored security improvements the agency has been making.
The attacks on Charbo came at a hearing held by a subcommittee of the Committee on Homeland Security. Committee Chairman Bennie Thompson (D-Miss.) said he had reviewed Charbo's responses to a series of security-related questions the subcommittee had sought clarifications on. Based on those responses, "I think the first thing that Mr. Charbo needs to do is explain to us why he should keep his job. I've spent some time reviewing Mr. Charbo's responses to our questions, and reviewing the numerous IG [inspector general] and GAO audits of his work. I am not convinced that he's serious about fixing the vulnerabilities in our systems."
Thompson's criticism was echoed by Rep. James Langevin (D-R.I.), chairman of the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, which held the hearing. In prepared testimony, Langevin expressed "shock and disappointment" that the DHS had reported as many as 844 security incidents in fiscal years 2005 and 2006. The incidents occurred on IT networks at DHS headquarters, and those belonging to Immigration and Customs Enforcement, Customs and Border Protection (CBP) and the Federal Emergency Management Agency.
The security issues highlighted by Langevin in his testimony included one in which a password dumping utility was found on two DHS servers. In addition, Trojans and other malicious programs were found on numerous agency servers, and classified mail was found to have been sent out over insecure networks.
"Information provided by the DHS suggests that the CIO is failing to engage in defensive best practices that would limit penetrations into the DHS network," Langevin said. For example, the agency has so far failed to mandate two-factor authentication across its networks, perform ingress or egress filtering on its networks, or perform audits to look for rogue tunnels, he said.
Langevin also expressed dismay at what he said was Charbo's unwillingness to invest needed resources to fix such issues. "The finances show that Mr. Charbo and the department's leadership continue to underinvest in IT security," Langevin said.
Other committee members grilled Charbo on his awareness of previous computer intrusions at other federal agencies by Chinese hackers, and asked him why he had failed to solicit detailed information on the attacks from US-CERT and intelligence agencies.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts