The U.S. Department of Homeland Security (DHS) has problems with virtual borders as well as physical ones. In a hearing this afternoon before a Homeland Security subcommittee in the House of Representatives, DHS CIO Scott Charbo is testifying about more than 800 serious computer security breaches that the department experienced in 2005 and 2006.
According to reports, the episodes included "classified data spills," in which pilfered information was transmitted from government computers, and occasions when software for stealing passwords was found on two internal DHS systems. There were also incidents of Web site security lapses, missing laptops, and unblocked viruses and worms.
'Do as I Say'
Entitled "Hacking the Homeland," the meeting of the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology is addressing attacks not only at the DHS headquarters but also at the department's agencies. These include the Transportation Safety Administration, the Coast Guard, the Federal Emergency Management Agency, and Customs and Border Protection.
"'Do as I say, not as I do' policy is a recipe for disaster," Homeland Security Committee Chairman Bennie Thompson (D-Miss.) told reporters, "and if we are serious about the security risks facing our networks, then we need to start acting and stop posturing."
In written testimony released prior to the hearing, DHS CIO Charbo said that the department needed "to increase its vigilance to ensure that such incidents do not happen again."
Governmental monitoring agencies are indicating that the incidents are fundamental and serious. For example, a new report from the Government Accountability Office, scheduled for release later this month, said that these vulnerabilities and incidents "threaten the confidentiality, integrity, and availability of key DHS information and information systems."
One culprit might be underfunding. According to the committee, the department's chief information security officer's budget has either been the same or been reduced over the last three years, falling from $17.5 million in 2005 to $15 million this fiscal year.
Some observers might characterize this latest development as the governmental equivalent of the shoemaker's children going barefoot, except that other major U.S. departments -- and their offspring agencies -- are also going barefoot.
In April, a report by a House committee gave failing grades for computer security to eight federal agencies, including the Departments of Defense, Agriculture, Commerce, Education, Interior, State and Treasury, and the Nuclear Regulatory Commission. DHS earned a D, an improvement from 2005. Overall, the federal government posted a C-, which wouldn't be good enough to get into Harvard but was an improvement over its previous marks.
There were some agencies, however, that would have made their parents proud. Recipients of A grades from A- to A+ were the Agency for International Development, the Environmental Protection Agency, the General Services Administration, the departments of Justice and Housing and Urban Development, the National Science Foundation, the Office of Personnel Management, and the Social Security Administration.
Despite the high marks, there has been criticism from outside organizations that the criteria for these security grades relate more to how well departments can fill out forms than their ability to implement actual precautions, including tests to measure their vulnerability to attack.