Computerworld - A House subcommittee investigating cybersecurity vulnerabilities at the U.S. Department of Homeland Security yesterday blasted the agency's CIO for his alleged lack of leadership on key security issues. Subcommittee members also questioned DHS CIO Scott Charbo's willingness to make needed security fixes and his ability to head the agency's IT operations.
Charbo rebutted the charges, saying that much of the criticism was based on outdated data that ignored security improvements the agency has been making.
The attacks on Charbo came at a hearing held by a subcommittee of the Committee on Homeland Security. Committee Chairman Bennie Thompson (D-Miss.) said he had reviewed Charbo's responses to a series of security-related questions the subcommittee had sought clarifications on. Based on those responses, "I think the first thing that Mr. Charbo needs to do is explain to us why he should keep his job. I've spent some time reviewing Mr. Charbo's responses to our questions, and reviewing the numerous IG [inspector general] and GAO audits of his work. I am not convinced that he's serious about fixing the vulnerabilities in our systems."
Thompson's criticism was echoed by Rep. James Langevin (D-R.I.), chairman of the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, which held the hearing. In prepared testimony, Langevin expressed "shock and disappointment" that the DHS had reported as many as 844 security incidents in fiscal years 2005 and 2006. The incidents occurred on IT networks at DHS headquarters, and those belonging to Immigration and Customs Enforcement, Customs and Border Protection (CBP) and the Federal Emergency Management Agency.
The security issues highlighted by Langevin in his testimony included one in which a password dumping utility was found on two DHS servers. In addition, Trojans and other malicious programs were found on numerous agency servers, and classified mail was found to have been sent out over insecure networks.
"Information provided by the DHS suggests that the CIO is failing to engage in defensive best practices that would limit penetrations into the DHS network," Langevin said. For example, the agency has so far failed to mandate two-factor authentication across its networks, perform ingress or egress filtering on its networks, or perform audits to look for rogue tunnels, he said.
Langevin also expressed dismay at what he said was Charbo's unwillingness to invest needed resources to fix such issues. "The finances show that Mr. Charbo and the department's leadership continue to underinvest in IT security," Langevin said.
Other committee members grilled Charbo on his awareness of previous computer intrusions at other federal agencies by Chinese hackers, and asked him why he had failed to solicit detailed information on the attacks from US-CERT and intelligence agencies.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
