House panel blasts DHS CIO for security failures
The subcommittee also questions Scott Charbo's ability to handle his job
Computerworld - A House subcommittee investigating cybersecurity vulnerabilities at the U.S. Department of Homeland Security yesterday blasted the agency's CIO for his alleged lack of leadership on key security issues. Subcommittee members also questioned DHS CIO Scott Charbo's willingness to make needed security fixes and his ability to head the agency's IT operations.
Charbo rebutted the charges, saying that much of the criticism was based on outdated data that ignored security improvements the agency has been making.
The attacks on Charbo came at a hearing held by a subcommittee of the Committee on Homeland Security. Committee Chairman Bennie Thompson (D-Miss.) said he had reviewed Charbo's responses to a series of security-related questions the subcommittee had sought clarifications on. Based on those responses, "I think the first thing that Mr. Charbo needs to do is explain to us why he should keep his job. I've spent some time reviewing Mr. Charbo's responses to our questions, and reviewing the numerous IG [inspector general] and GAO audits of his work. I am not convinced that he's serious about fixing the vulnerabilities in our systems."
Thompson's criticism was echoed by Rep. James Langevin (D-R.I.), chairman of the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, which held the hearing. In prepared testimony, Langevin expressed "shock and disappointment" that the DHS had reported as many as 844 security incidents in fiscal years 2005 and 2006. The incidents occurred on IT networks at DHS headquarters, and those belonging to Immigration and Customs Enforcement, Customs and Border Protection (CBP) and the Federal Emergency Management Agency.
The security issues highlighted by Langevin in his testimony included one in which a password dumping utility was found on two DHS servers. In addition, Trojans and other malicious programs were found on numerous agency servers, and classified mail was found to have been sent out over insecure networks.
"Information provided by the DHS suggests that the CIO is failing to engage in defensive best practices that would limit penetrations into the DHS network," Langevin said. For example, the agency has so far failed to mandate two-factor authentication across its networks, perform ingress or egress filtering on its networks, or perform audits to look for rogue tunnels, he said.
Langevin also expressed dismay at what he said was Charbo's unwillingness to invest needed resources to fix such issues. "The finances show that Mr. Charbo and the department's leadership continue to underinvest in IT security," Langevin said.
Other committee members grilled Charbo on his awareness of previous computer intrusions at other federal agencies by Chinese hackers, and asked him why he had failed to solicit detailed information on the attacks from US-CERT and intelligence agencies.
- EndPoint Interactive eGuide In this eGuide, Network World, Computerworld, and CIO examine two endpoint trends - BYOD and collaboration - and offer tips and advice on...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!