DHS Disputes GAO at Cybersecurity Subcommittee Hearing

DHS is no better than the State and Commerce departments in terms of information technology (IT) security, Subcommittee Chairman William Langevin, D-R.I., said in opening remarks. DHS saw 844 incidents in fiscal years 2005 and 2006, including classified e-mails sent over unclassified networks, botnet activity traced to agency computers, unauthorized users connecting to DHS networks and contractor- misconfigured firewalls, he said. DHS spends less of its IT budget on security, about 6.8 percent this year, than the 20 percent experts urge. The department’s IT budget rose by $1 billion in 2006, Langevin said. A coming GAO report will show the US-VISIT system run by the Customs and Border Protection (CBP) component of DHS is full of holes, he said: “How can DHS be the nation’s and the government’s cybersecurity leader with this track record?” He and others are drafting legislation to mandate a national cybersecurity threat assessment by the federal government.

Hypocrisy emanating from DHS “speaks so loud that the [cybersecurity] message is not getting across” to agencies that DHS is supposed to lead by example, said Homeland Security Committee Chairman Bennie Thompson, D-Miss. DHS has not deployed its network-monitoring Einstein system departmentwide, even as it pushes other agencies to secure their networks, he said: “'Do as I say, not as I do’ policy is a recipe for disaster.” Charbo does not sound “serious” about fixing vulnerabilities, Thompson said. Referring to DHS’s most-recent grade on the Federal Information Security Management Act (FISMA) report card, he said: “The American people are tired of hearing that getting a ‘D’ is a security improvement.”

DHS is improving security by consolidating components, Charbo said. Its legacy wide-area networks are being merged into a single network, e-mail is being standardized for a single framework and data centers are moving to a common environment, he said. The US-VISIT report by GAO -- which DHS only got this week -- lacks “context” for the system’s “overall environment,” and GAO’s audit is a year old, he said. A new “configuration board” led by the DHS deputy CIO will review major configuration changes that impact infrastructure, Charbo said.

DHS has conducted its first inventory of major systems since a critical GAO report in 2005, but “the quality and effectiveness of these actions were not assured,” said Greg Wilshusen, director of information security issues at GAO. The US-VISIT report, not yet public, showed a system “riddled” with control weaknesses, such as not authenticating users or adequately logging visits, he said.

Langevin asked Charbo what DHS had done to stop repeated Chinese cyber-attacks on the Commerce and State departments. Charbo said he got no intelligence briefings on those attacks. DHS believes it has been attacked by other countries, but without “penetrations,” and the attacks do not appear to be coordinated, he said. The botnets traced to DHS computers have never “phoned home” to China as far as the agency can tell, he told Langevin. Langevin asked why DHS does not audit for “rogue tunnels” or use “ingress or egress filtering.” DHS monitors “edge routers” for traffic leaving the agency, not client PCs, he said. A recent FBI report on computers traced to botnets (WID June 14 p6) found 181 .gov addresses compromised, with two traced to DHS, one of which the agency believes is a “spoof,” Charbo said.

GAO cannot say “Secure everything, lock everything down,” said Keith Rhodes, chief technologist. But agencies must have “zero tolerance on certain key systems,” he said. “You have to understand what ‘key’ means.” The private sector controls 97 percent of critical infrastructure, and agencies must tell the companies that own the infrastructure what the real threats are -- otherwise companies cannot “take it to the boardroom and justify” spending to combat threats, Rhodes said.

Charbo regularly characterized the GAO audit of US-VISIT as a year old, but actually it began a year ago, Rhodes said. GAO stopped assessments because there was no end in sight to vulnerabilities: “The problems were pervasive. The problems were systemic.” But many are not hard to remedy, Rhodes said, calling them “zero-cost fixes.” Charbo told Rep. Zoe Lofgren, D-Calif., he would provide the committee the US- VISIT contract for review. Asked by Lofgren if the US-VISIT database was “hacked,” Rhodes paused and said: “I did not see controls in place that would prevent it,” or detection systems that would have found intrusions.

The feasibility of auditing the “cloud” -- in this case, network services provided by Sprint and MCI for DHS -- was debated, with Langevin and GAO officials on one side and Charbo on the defensive. One of the carriers misconfigured DHS firewalls, and DHS has admitted that it did not audit the Sprint cloud, passing the buck to the National Cyber Security Division at DHS, Langevin said. But NCSD said that job belongs to Charbo’s office. Auditing the cloud is “essentially auditing the Internet,” Charbo said. GAO has reviewed the cloud at the Centers for Medicare and Medicaid Services (CMS), and CMS took “immediate aggressive action” following GAO’s recommendations, Wilshusen said. Langevin asked if that contradicted Charbo’s portrayal of auditing. “It can be done,” Rhodes said. Langevin called “disturbing” Charbo’s admission that he did not know how long the firewalls were misconfigured, but Charbo said he would check. He also will check to see when topologies for the three local area networks were last updated.

DHS does not deny the gravity of its security incidents but is handling them according to procedure, Charbo said. “Spillage” of classified e-mail onto unclassified networks sometimes results in revoked clearances, he said, promising Thompson that he will check to see how many personnel were disciplined for spillage. Unapproved laptops that contractors plugged into DHS network facilities never actually got network access, he said; such plug-ins trigger an alarm and ejection of the contractors. That is a large problem, Rhodes said. “Contractor staff are so pervasive,” owning and operating many systems for DHS: “Therefore they have free rein.” Charbo said he does not know of every security incident, but if it “impacts the mission,” he will.

IT security requires far less of the DHS budget than the committee is being told, Charbo said. Gartner recommends 3-8 percent of the IT budget, with the high end reserved for “an organization that’s just getting started,” he said. The percentage rose in 2004 when DHS was planning for its tech inventory, and the budget is only flat now for “policy and oversight,” not actual spending on gear and services, he said. Rep. Bob Etheridge, D-N.C., said results should drive DHS spending. Etheridge harped on the rarity with which Charbo seemed to get briefed on incidents. “You don’t know what you don’t know, sir,” Charbo said: “That’s an effort that we'd appreciate some help on” from the committee.