DHS technology chief faces tough questioning at House hearing

The Homeland Security Department's chief information officer needs to explain to Congress why he should keep his job in light of recently uncovered security lapses, the head of the House panel overseeing the department said Wednesday.

Rep. Bennie Thompson, D-Miss., chairman of the Homeland Security Committee, said he is not convinced DHS technology chief Scott Charbo is serious about fixing vulnerabilities in the department's information technology systems.

"If he's not committed to securing our networks, I have to question his ability to lead the department's IT efforts," Thompson said in an opening statement at a hearing before the panel's Subcommittee on Emerging Threats, Cybersecurity and Science and Technology. "I can't understand for the life of me why it takes outside auditors to tell the CIO and his contractors that these networks are insecure."

Lawmakers called on Charbo to answer questions about numerous breaches uncovered by auditors. The Government Accountability Office reported that the department failed to fix vulnerabilities in the IT system supporting the US-VISIT program to track entrances and exits to the United States, for instance, and did not invest adequately in defensive measures.

Thompson questioned how the rest of the government and the private sector could take cybersecurity seriously if DHS doesn't fix its own configurations.

"A 'do as I say, not as I do' policy is a recipe for disaster, and if we are serious about the security risks facing our networks, then we need to start acting and stop posturing," Thompson said. "The American people are tired of hearing that getting a D is a security improvement. I'm tired of hearing it."

In April, the department received a D grade on an annual congressional report card measuring compliance with the law governing federal information security. The department flunked the previous year.

Charbo said many of the findings cited by the subcommittee are based on data from a year ago and on legacy systems that are in the process of being replaced.

"The department takes these incidents very seriously and will work diligently to ensure they do not occur," Charbo said. "We need to increase our vigilance to ensure that such incidents do not happen again."

Charbo said that DHS Secretary Michael Chertoff's decision to boost the chief information officer's authority will result in a more "coherent and effective" use of IT resources.

"My authority over all of these areas directly affects our overall security posture," Charbo said. "IT programs and acquisitions are being reviewed at the department level to ensure that they are reconciled with the department's strategic goals."

According to subcommittee chairman Rep. James Langevin, D-R.I., the department experienced 844 security incidents in fiscal 2005 and fiscal 2006 on IT networks at its headquarters, the Immigration and Customs Enforcement bureau, U.S. Customs and Border Protection, the Federal Emergency Management Agency and elsewhere.

Congressional investigators found a password dumping application and other malicious files on two DHS systems, computers infected with multiple Trojan horses and viruses, hard copies of user identifications and passwords for a local administrator account, classified e-mails sent over unclassified networks, unauthorized users attaching their personal computers to the DHS network, unauthorized individuals gaining access to DHS equipment and data, and misconfigured firewalls.

"In spite of the significant vulnerabilities in its systems, the department doesn't appear to be in any rush to fix them," Langevin said. "I wish DHS exerted the same level of effort to protect its networks that our adversaries are exerting to penetrate them."

Langevin criticized the department for "failing to dedicate adequate funding" to IT security. While experts agree that agencies should allocate about 20 percent of their IT budgets to cybersecurity, DHS only spends about 6.7 percent to secure its systems, he said.

Charbo said, however, that consultants working with the department have recommended spending between 3 and 8 percent of the IT budget on security.

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
FROM OUR SPONSORS
JOIN THE DISCUSSION
Close [ x ] More from GovExec
 
 

Thank you for subscribing to newsletters from GovExec.com.
We think these reports might interest you:

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • The Big Data Campaign Trail

    With everyone so focused on security following recent breaches at federal, state and local government and education institutions, there has been little emphasis on the need for better operations. This report breaks down some of the biggest operational challenges in IT management and provides insight into how agencies and leaders can successfully solve some of the biggest lingering government IT issues.

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download
  • Ongoing Efforts in Veterans Health Care Modernization

    This report discusses the current state of veterans health care

    Download

When you download a report, your information may be shared with the underwriters of that document.