Congress Blasts Homeland Security For Security BreachesCongress Blasts Homeland Security For Security Breaches

The Department of Homeland Security, the government agency tasked with being the leader of the nation's cybersecurity, suffered 844 "cybersecurity incidents" within two years, a member of the House Committee on Homeland Security reported at a Congressional hearing Wednesday.

Jim Langevin, (D-R.I.) chairman of the Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, said at the hearing Wednesday afternoon that the 844 incidents came during fiscal 2005 and 2006. He also said the infiltration of federal government networks and the possible theft or exploitation of information on them is one of the most critical issues confronting the country, noting that the Chinese have been "coordinating attacks against the Department of Defense for years."

According to Langevin's testimony, the incidents ranged from workstations infected with Trojans and viruses to a compromised department Web site, classified e-mails being sent over unclassified networks, unauthorized users attaching their personal computers to DHS networks and gaining access to government equipment and data. He also said the incidents included "numerous classified data spillages."

The testimony came during a hearing called Hacking the Homeland: Investigating Cybersecurity Vulnerabilities at the Department of Homeland Security. The meeting was called to follow up on what has been a series of hearings on the government's cybersecurity. A Congressional hearing was called this spring on a data breach at the U.S. Department of Agriculture, and on April 19 there was a Congressional hearing focused on computer break-ins at both the Department of State and the Department of Commerce last summer.

At the April hearing, Langevin said he was "disappointed and troubled" about the state of the U.S. government's cybersecurity policies. The two computer break-ins at the Department of State and the Department of Commerce last summer, he said, are very likely deeper and more insidious than even the government has reported.

Just a few weeks after that hearing, Committee chairman Bennie G. Thompson, D-Miss., joined committee members in sending a letter to Department of Homeland Security CIO Scott Charbo, requesting detailed information about the security of the department's networks.

On Wednesday, Charbo found himself in the hot seat.

"How can we expect improvements in private infrastructure cyberdefense when DHS bureaucrats aren't fixing their own configurations?" asked Thompson at the hearing. "How can we ask others to invest in upgraded security technologies when the Chief Information Officer grows the department's IT security budget at a snail's pace? How can we ask the private sector to... implement more consistent access controls when DHS allows employees to send classified e-mails over unclassified networks and contractors to attach unapproved laptops to the network?" After running down through a list of similar questions for Charbo, Thompson concluded with one statement. "In light of all of the evidence in front of us, I think the first thing that Mr. Charbo needs to do is explain to us why he should keep his job."

In defense of himself and his department, Charbo said Wednesday that they need to increase their vigilance at the department but that they are on the right track. He noted that the recent loss of an external hard drive at the Transportation Security Administration has prompted a comprehensive review of how the department processes and stores privacy information.

He also pointed to three IT changes they are making at the Department of Homeland Security that will, in part, improve cybersecurity there.

First, he noted that they are collapsing multiple legacy wide-area networks (WANs) into a single enterprise WAN, called OneNet. Charbo also said they are standardizing their 13 different e-mail systems into one new framework that should be easier to secure. That project is due to be completed by the end of this year. And he went on to say that they are collapsing multiple data centers into a common shared environment. Security is being designed into the system from the ground up and he expects their security posture to continue to improve as they move more and more information into the new datacenter.

"Although we still have a ways to go, we've made measurable improvements in the management of information security at the department," he said, adding that in 2007, DHS will spend approximately $4.9 billion for information technology, and $332 million of that goes to IT security. The department has asked for a $5.25 billion IT budget for 2008, with $342 million expected to go toward security.

That comes out to be 6.8% of the department's IT budget and that's simply not enough to do the job, said Langevin, adding that agencies should allocate 20% of their budget IT budgets to cybersecurity.

"The CIO is failing to engage in defensive best practices that would limit penetration into the DHS networks," said Langevin. "I wish DHS exerted the same level of effort to protect its network as our adversaries are exerting to penetrate them."

The Homeland Security Act of 2002 mandated the merging of 22 federal agencies and organizations to create the Department of Homeland Security