Lawmaker criticizes DHS cybersecurity nominee

By Chris Strohm

February 7, 2008

The Homeland Security Department has appointed an official who oversaw a cybersecurity contractor whose work is under federal investigation to a key position overseeing a program worth hundreds of millions of dollars to secure computer networks across the federal government.

The Feb. 1 appointment of Scott Charbo, Homeland Security's chief information officer, to be deputy undersecretary for the national protection and programs directorate, drew immediate criticism from House Homeland Security Committee Chairman Bennie Thompson, D-Miss., who was familiar with Charbo's past.

In a letter to Homeland Security Secretary Michael Chertoff, Thompson said an investigation conducted by his committee last year showed Charbo failed to properly address computer security breaches within agencies housed at department headquarters, along with incompetent and possibly illegal activity by private contractor Unisys.

The incidents included the exfiltration of information from Homeland Security Department networks to a Web-hosting service that connects Chinese Web sites, according to Thompson's investigation.

The security breaches that occurred under Charbo's watch and the work by Unisys are now under investigation by the FBI and the Homeland Security Department inspector general, according to Thompson and congressional aides.

The IG's office confirmed to CongressDaily that its investigation is continuing. The FBI would not confirm or deny the existence of an investigation.

Thompson asked the department's Office of Security to conduct an investigation but has yet to get a briefing from officials despite repeated requests.

Thompson said Charbo will be responsible for overseeing a critical part of a massive cybersecurity initiative that the Bush administration has launched.

Chertoff announced this week that the department is requesting about $294 million in its fiscal budget request for its portion of the initiative.

His department will secure computer networks across agencies under the initiative, the details of which remain classified.

"Given his previous failings as chief information officer, I find it unfathomable that you would invest him [Charbo] with this authority," Thompson wrote Chertoff on Feb.1. "This decision raises concerns about the seriousness of the administration's initiative."

Senate Homeland Security and Governmental Affairs Committee Chairman Joseph Lieberman, I-Conn., did not criticize Charbo's appointment but is "deeply concerned about vulnerabilities in the nation's cybersecurity, as well as DHS' own systems," according to his spokeswoman.

"The committee, however, is conducting vigorous oversight of the cybersecurity initiative to ensure successful deployment and efficient spending of the increasing amount of money Congress has appropriated for the program," she said.

The Homeland Security Department did not make Charbo available for comment Wednesday.

A department spokeswoman issued a statement saying: "It is unfortunate that the chairman [Thompson], who has often criticized the department about vacancies in key leadership positions and the state of morale, has once again chosen to make a personal attack on a department employee who has demonstrated over a number of years his able and dedicated service to this nation."

Charbo was appointed chief information officer in 2005 and later became the department's acting undersecretary for management. None of the positions, including the most recent one, required Senate confirmation.

The spokeswoman said Charbo has "invaluable management skills" and "made impressive progress" on securing computers and networks while institutionalizing "rigorous network security and data and privacy protection programs."

She added that the department takes Thompson's allegations "very seriously" and has provided every incident report to the department's security operations center, as well as to the House Homeland Security Committee when requested.

"The vast majority of these incidents were minor in nature and were resolved quickly, often within hours," she said. "Every incident report has been provided to Chairman Thompson's committee and more than 97 percent of all incidents reported have been closed."

Thompson has claimed that Unisys employees provided "inaccurate and misleading information" to Homeland Security officials about the source of attacks and attempted to hide security gaps.

A Unisys spokeswoman referred to a statement the company issued in September in response to Thompson's allegations about the firm, when they were first reported by the Washington Post.

"Unisys vigorously disputes the allegations . . . ," the company said. "Facts and documentation contradict the claims described in the article, but federal security regulations preclude public comment on specific incidents."

The statement said the company routinely follows prescribed security protocols and had properly reported incidents to the Homeland Security Department.

The department rebid its contract for computer and network security for headquarter agencies in the fall. Unisys submitted a bid but did not win. Instead, a contract worth $362 million was awarded to Lockheed Martin Corp., a Homeland Security spokesman said.

By Chris Strohm

February 7, 2008