Jul 30, 2007 (11:07 AM EDT)
Congressmen Call For More Answers On Lax DHS Security

Read the Original Article at InformationWeek

After it was revealed last month that the Department of Homeland Security suffered 844 security breaches in a two-year span, two congressmen are prodding the agency's CIO for information on how he plans to fill some gaping holes.

Committee on Homeland Security Chairman Bennie G. Thompson, D-Miss., and Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology Chairman James R. Langevin, D-R.I., both signed off on a letter to DHS CIO Scott Charbo, as well as to Robert West, the agency's chief information security officer, late last week. The letter, which was released to the media, expressed concern over security holes and questioned Charbo about possible breaches within the Office of Procurement Operations and the Directorate of Science and Technology, also known as the S&T Directorate.

The Office of Procurement Operations handles a large percentage of Homeland Security's contractors. The U.S. Government Accountability Office reported a year ago before a House committee that the office lacked the necessary internal controls to successfully oversee interagency contracting activity. And the S&T Directorate is the primary research and development arm of DHS.

In the letter, Langevin and Thompson noted that a recent GAO audit found that there are "significant vulnerabilities" in the department's systems.

"While some department components demonstrated improvement over the previous year, auditors found that most did not measurably enhance their security posture," the letter stated. "During the 2006 IT testing, auditors identified over 200 vulnerable conditions on financial management networks that were in need of mitigation. Though the department closed 44% of those risks, more than 150 new findings were discovered this year."

The congressmen reported that the vulnerabilities included access to key financial applications, misconfigured security controls for financial applications and support systems, and poor application-change control processes.

"The Committee is deeply concerned that the vulnerable conditions highlighted in recent reports by the Inspector General may facilitate espionage on the Department's computers," the letter added.

Langevin and Thompson then asked Charbo and West if there has ever been unauthorized access to any part of the network in the Office of Procurement Operations or the S&T Directorate. They also wanted to know if a hacking tool or password collector had ever been installed on a computer in either of the offices, and if an infected machine ever transmitted information out of the two offices. The congressmen then asked for specific information on seven "incidents" that appear to have occurred in 2006.

They requested that Charbo and West respond no later than Aug. 27.

In June, Charbo was raked over the coals in front of a congressional hearing focused on security breaches at the DHS. The hearing was called to follow up on what has been a series of hearings on the government's cybersecurity. A congressional hearing had been called this spring on a data breach at the U.S. Department of Agriculture, and on April 19 there was a congressional hearing focused on computer break-ins at both the Department of State and the Department of Commerce last summer.

During the June hearing, Thompson concluded his statement by saying, "In light of all of the evidence in front of us, I think the first thing that Mr. Charbo needs to do is explain to us why he should keep his job."