DHS technology chief faces tough questioning at House hearing

The Homeland Security Department's chief information officer needs to explain to Congress why he should keep his job in light of recently uncovered security lapses, the head of the House panel overseeing the department said Wednesday.

Rep. Bennie Thompson, D-Miss., chairman of the Homeland Security Committee, said he is not convinced DHS technology chief Scott Charbo is serious about fixing vulnerabilities in the department's information technology systems.

"If he's not committed to securing our networks, I have to question his ability to lead the department's IT efforts," Thompson said in an opening statement at a hearing before the panel's Subcommittee on Emerging Threats, Cybersecurity and Science and Technology. "I can't understand for the life of me why it takes outside auditors to tell the CIO and his contractors that these networks are insecure."

Lawmakers called on Charbo to answer questions about numerous breaches uncovered by auditors. The Government Accountability Office reported that the department failed to fix vulnerabilities in the IT system supporting the US-VISIT program to track entrances and exits to the United States, for instance, and did not invest adequately in defensive measures.

Thompson questioned how the rest of the government and the private sector could take cybersecurity seriously if DHS doesn't fix its own configurations.

"A 'do as I say, not as I do' policy is a recipe for disaster, and if we are serious about the security risks facing our networks, then we need to start acting and stop posturing," Thompson said. "The American people are tired of hearing that getting a D is a security improvement. I'm tired of hearing it."

In April, the department received a D grade on an annual congressional report card measuring compliance with the law governing federal information security. The department flunked the previous year.

Charbo said many of the findings cited by the subcommittee are based on data from a year ago and on legacy systems that are in the process of being replaced.

"The department takes these incidents very seriously and will work diligently to ensure they do not occur," Charbo said. "We need to increase our vigilance to ensure that such incidents do not happen again."

Charbo said that DHS Secretary Michael Chertoff's decision to boost the chief information officer's authority will result in a more "coherent and effective" use of IT resources.

"My authority over all of these areas directly affects our overall security posture," Charbo said. "IT programs and acquisitions are being reviewed at the department level to ensure that they are reconciled with the department's strategic goals."

According to subcommittee chairman Rep. James Langevin, D-R.I., the department experienced 844 security incidents in fiscal 2005 and fiscal 2006 on IT networks at its headquarters, the Immigration and Customs Enforcement bureau, U.S. Customs and Border Protection, the Federal Emergency Management Agency and elsewhere.

Congressional investigators found a password dumping application and other malicious files on two DHS systems, computers infected with multiple Trojan horses and viruses, hard copies of user identifications and passwords for a local administrator account, classified e-mails sent over unclassified networks, unauthorized users attaching their personal computers to the DHS network, unauthorized individuals gaining access to DHS equipment and data, and misconfigured firewalls.

"In spite of the significant vulnerabilities in its systems, the department doesn't appear to be in any rush to fix them," Langevin said. "I wish DHS exerted the same level of effort to protect its networks that our adversaries are exerting to penetrate them."

Langevin criticized the department for "failing to dedicate adequate funding" to IT security. While experts agree that agencies should allocate about 20 percent of their IT budgets to cybersecurity, DHS only spends about 6.7 percent to secure its systems, he said.

Charbo said, however, that consultants working with the department have recommended spending between 3 and 8 percent of the IT budget on security.

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from GovExec.com.
We think these reports might interest you:

  • Sponsored by G Suite

    Cross-Agency Teamwork, Anytime and Anywhere

    Dan McCrae, director of IT service delivery division, National Oceanic and Atmospheric Administration (NOAA)

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Federal IT Applications: Assessing Government's Core Drivers

    In order to better understand the current state of external and internal-facing agency workplace applications, Government Business Council (GBC) and Riverbed undertook an in-depth research study of federal employees. Overall, survey findings indicate that federal IT applications still face a gamut of challenges with regard to quality, reliability, and performance management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.