DHS technology chief faces tough questioning at House hearing

The Homeland Security Department's chief information officer needs to explain to Congress why he should keep his job in light of recently uncovered security lapses, the head of the House panel overseeing the department said Wednesday.

Rep. Bennie Thompson, D-Miss., chairman of the Homeland Security Committee, said he is not convinced DHS technology chief Scott Charbo is serious about fixing vulnerabilities in the department's information technology systems.

"If he's not committed to securing our networks, I have to question his ability to lead the department's IT efforts," Thompson said in an opening statement at a hearing before the panel's Subcommittee on Emerging Threats, Cybersecurity and Science and Technology. "I can't understand for the life of me why it takes outside auditors to tell the CIO and his contractors that these networks are insecure."

Lawmakers called on Charbo to answer questions about numerous breaches uncovered by auditors. The Government Accountability Office reported that the department failed to fix vulnerabilities in the IT system supporting the US-VISIT program to track entrances and exits to the United States, for instance, and did not invest adequately in defensive measures.

Thompson questioned how the rest of the government and the private sector could take cybersecurity seriously if DHS doesn't fix its own configurations.

"A 'do as I say, not as I do' policy is a recipe for disaster, and if we are serious about the security risks facing our networks, then we need to start acting and stop posturing," Thompson said. "The American people are tired of hearing that getting a D is a security improvement. I'm tired of hearing it."

In April, the department received a D grade on an annual congressional report card measuring compliance with the law governing federal information security. The department flunked the previous year.

Charbo said many of the findings cited by the subcommittee are based on data from a year ago and on legacy systems that are in the process of being replaced.

"The department takes these incidents very seriously and will work diligently to ensure they do not occur," Charbo said. "We need to increase our vigilance to ensure that such incidents do not happen again."

Charbo said that DHS Secretary Michael Chertoff's decision to boost the chief information officer's authority will result in a more "coherent and effective" use of IT resources.

"My authority over all of these areas directly affects our overall security posture," Charbo said. "IT programs and acquisitions are being reviewed at the department level to ensure that they are reconciled with the department's strategic goals."

According to subcommittee chairman Rep. James Langevin, D-R.I., the department experienced 844 security incidents in fiscal 2005 and fiscal 2006 on IT networks at its headquarters, the Immigration and Customs Enforcement bureau, U.S. Customs and Border Protection, the Federal Emergency Management Agency and elsewhere.

Congressional investigators found a password dumping application and other malicious files on two DHS systems, computers infected with multiple Trojan horses and viruses, hard copies of user identifications and passwords for a local administrator account, classified e-mails sent over unclassified networks, unauthorized users attaching their personal computers to the DHS network, unauthorized individuals gaining access to DHS equipment and data, and misconfigured firewalls.

"In spite of the significant vulnerabilities in its systems, the department doesn't appear to be in any rush to fix them," Langevin said. "I wish DHS exerted the same level of effort to protect its networks that our adversaries are exerting to penetrate them."

Langevin criticized the department for "failing to dedicate adequate funding" to IT security. While experts agree that agencies should allocate about 20 percent of their IT budgets to cybersecurity, DHS only spends about 6.7 percent to secure its systems, he said.

Charbo said, however, that consultants working with the department have recommended spending between 3 and 8 percent of the IT budget on security.

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from GovExec.com.
We think these reports might interest you:

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Cyber Risk Report: Cybercrime Trends from 2016

    In our first half 2016 cyber trends report, SurfWatch Labs threat intelligence analysts noted one key theme – the interconnected nature of cybercrime – and the second half of the year saw organizations continuing to struggle with that reality. The number of potential cyber threats, the pool of already compromised information, and the ease of finding increasingly sophisticated cybercriminal tools continued to snowball throughout the year.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • GBC Issue Brief: The Future of 9-1-1

    A Look Into the Next Generation of Emergency Services

  • GBC Survey Report: Securing the Perimeters

    A candid survey on cybersecurity in state and local governments

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

  • eBook: State & Local Cybersecurity

    CenturyLink is committed to helping state and local governments meet their cybersecurity challenges. Towards that end, CenturyLink commissioned a study from the Government Business Council that looked at the perceptions, attitudes and experiences of state and local leaders around the cybersecurity issue. The results were surprising in a number of ways. Learn more about their findings and the ways in which state and local governments can combat cybersecurity threats with this eBook.


When you download a report, your information may be shared with the underwriters of that document.