House panel blasts DHS CIO for security failures
The subcommittee also questions Scott Charbo's ability to handle his job
Computerworld - A House subcommittee investigating cybersecurity vulnerabilities at the U.S. Department of Homeland Security yesterday blasted the agency's CIO for his alleged lack of leadership on key security issues. Subcommittee members also questioned DHS CIO Scott Charbo's willingness to make needed security fixes and his ability to head the agency's IT operations.
Charbo rebutted the charges, saying that much of the criticism was based on outdated data that ignored security improvements the agency has been making.
The attacks on Charbo came at a hearing held by a subcommittee of the Committee on Homeland Security. Committee Chairman Bennie Thompson (D-Miss.) said he had reviewed Charbo's responses to a series of security-related questions the subcommittee had sought clarifications on. Based on those responses, "I think the first thing that Mr. Charbo needs to do is explain to us why he should keep his job. I've spent some time reviewing Mr. Charbo's responses to our questions, and reviewing the numerous IG [inspector general] and GAO audits of his work. I am not convinced that he's serious about fixing the vulnerabilities in our systems."
Thompson's criticism was echoed by Rep. James Langevin (D-R.I.), chairman of the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, which held the hearing. In prepared testimony, Langevin expressed "shock and disappointment" that the DHS had reported as many as 844 security incidents in fiscal years 2005 and 2006. The incidents occurred on IT networks at DHS headquarters, and those belonging to Immigration and Customs Enforcement, Customs and Border Protection (CBP) and the Federal Emergency Management Agency.
The security issues highlighted by Langevin in his testimony included one in which a password dumping utility was found on two DHS servers. In addition, Trojans and other malicious programs were found on numerous agency servers, and classified mail was found to have been sent out over insecure networks.
"Information provided by the DHS suggests that the CIO is failing to engage in defensive best practices that would limit penetrations into the DHS network," Langevin said. For example, the agency has so far failed to mandate two-factor authentication across its networks, perform ingress or egress filtering on its networks, or perform audits to look for rogue tunnels, he said.
Langevin also expressed dismay at what he said was Charbo's unwillingness to invest needed resources to fix such issues. "The finances show that Mr. Charbo and the department's leadership continue to underinvest in IT security," Langevin said.
Other committee members grilled Charbo on his awareness of previous computer intrusions at other federal agencies by Chinese hackers, and asked him why he had failed to solicit detailed information on the attacks from US-CERT and intelligence agencies.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts