[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]
HACKING THE HOMELAND: INVESTIGATING
CYBERSECURITY VULNERABILITIES AT THE
DEPARTMENT OF HOMELAND SECURITY
=======================================================================
HEARING
before the
SUBCOMMITTEE ON EMERGING
THREATS, CYBERSECURITY, AND
SCIENCE AND TECHNOLOGY
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED TENTH CONGRESS
FIRST SESSION
__________
JUNE 20, 2007
__________
Serial No. 110-52
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC] [TIFF OMITTED] TONGRESS.#13
Available via the World Wide Web: http://www.gpoaccess.gov/congress/
index.html
__________
U.S. GOVERNMENT PRINTING OFFICE
48-926 WASHINGTON : 2009
-----------------------------------------------------------------------
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092104 Mail: Stop IDCC, Washington, DC 20402�0900012009
COMMITTEE ON HOMELAND SECURITY
BENNIE G. THOMPSON, Mississippi, Chairman
LORETTA SANCHEZ, California, PETER T. KING, New York
EDWARD J. MARKEY, Massachusetts LAMAR SMITH, Texas
NORMAN D. DICKS, Washington CHRISTOPHER SHAYS, Connecticut
JANE HARMAN, California MARK E. SOUDER, Indiana
PETER A. DeFAZIO, Oregon TOM DAVIS, Virginia
NITA M. LOWEY, New York DANIEL E. LUNGREN, California
ELEANOR HOLMES NORTON, District of MIKE ROGERS, Alabama
Columbia BOBBY JINDAL, Louisiana
ZOE LOFGREN, California DAVID G. REICHERT, Washington
SHEILA JACKSON LEE, Texas MICHAEL T. McCAUL, Texas
DONNA M. CHRISTENSEN, U.S. Virgin CHARLES W. DENT, Pennsylvania
Islands GINNY BROWN-WAITE, Florida
BOB ETHERIDGE, North Carolina MARSHA BLACKBURN, Tennessee
JAMES R. LANGEVIN, Rhode Island GUS M. BILIRAKIS, Florida
HENRY CUELLAR, Texas DAVID DAVIS, Tennessee
CHRISTOPHER P. CARNEY, Pennsylvania
YVETTE D. CLARKE, New York
AL GREEN, Texas
ED PERLMUTTER, Colorado
Jessica Herra-Flanigan, Staff Director & General Counsel
Rosaline Cohen, Chief Counsel
Michael Twinchek, Chief Clerk
Robert O'Connor, Minority Staff Director
______
SUBCOMMITTEE ON EMERGING THREATS, CYBERSECURITY, AND SCIENCE AND
TECHNOLOGY
JAMES R. LANGEVIN, Rhode Island, Chairman
ZOE LOFGREN, California MICHAEL T. McCAUL, Texas
DONNA M. CHRISTENSEN, U.S. Virgin DANIEL E. LUNGREN, California
Islands GINNY BROWN-WAITE, Florida
BOB ETHERIDGE, North Carolina MARSHA BLACKBURN, Tennessee
AL GREEN, Texas PETER T. KING, New York (Ex
VACANCY Officio)
BENNIE G. THOMPSON, Mississippi (Ex
Officio)
Jacob Olcott, Director & Counsel
Dr. Chris Beck, Senior Advisor for Science & Technology
Carla Zamudio-Dolan, Clerk
Dr. Diane Berry, Minority Senior Professional Staff Member
(II)
C O N T E N T S
----------
Page
STATEMENTS
The Honorable James R. Langevin, a Representative in Congress
From the State of Rhode Island, and Chairman, Subcommittee on
Emerging Threats, Cybersecurity, and Science and Technology:
Oral Statement................................................. 1
Prepared Statement............................................. 3
The Honorable Michael T. McCaul, a Representative in Congress
From the State of Texas, and Ranking Member, Subcommittee on
Emerging Threats, Cybersecurity, and Science and Technology:
Oral Statement................................................. 5
Prepared Statement............................................. 6
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Chairman, Committee on
Homeland Security:
Oral Statement................................................. 7
Prepared Statement............................................. 8
The Honorable Bob Etheridge, a Representative in Congress From
the State of North Carolina.................................... 28
The Honorable Zoe Lofgren, a Representative in Congress From the
State if California............................................ 30
Witnesses
Mr. Scott Charbo, Chief Information Officer, U.S. Department of
Homeland Security:
Oral Statement................................................. 10
Prepared Statement............................................. 12
Mr. Greg Wilshusen, Director, Information Security Issues,
Government Accountability Officer:
Oral Statement................................................. 15
Prepared Statement............................................. 16
Accompanied by:
Mr. Keith A. Rhodes, Chief Technologist, Director, Center for
Technology and Engineering, Government Accountability Office... 24
Appendix
Additional Questions and Responses:
Mr. Scott Charbo............................................... 39
HACKING THE HOMELAND: INVESTIGATING CYBERSECURITY VULNERABILITIES AT
THE DEPARTMENT OF HOMELAND SECURITY
----------
Wednesday, June 20, 2007
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Emerging Threats, Cybersecurity,
and Science and Technology,
Washington, DC.
The subcommittee met, pursuant to call, at 2:20 p.m., in
Room 311, Cannon House Office Building, Hon. James R. Langevin
[chairman of the subcommittee], presiding.
Present: Representatives Langevin, Lofgren, Christensen,
Etheridge, Thompson, ex officio, McCaul, and Brown-Waite.
Mr. Langevin. The subcommittee will come to order. The
subcommittee's meeting today is to receive testimony on Hacking
the Homeland: Investigating Cybersecurity Vulnerabilities at
the Department of Homeland Security.
Ladies and gentlemen, good afternoon. I want to thank the
witnesses for appearing before the subcommittee, and we look
forward to your testimony today. The Internet has brought our
friends close and our enemies closer. As each day passes,
another incident reminds us that our information and our IT
infrastructures are vulnerable.
Cases in point: Estonia, a technically savvy country, was
brought to its knees by hackers who took down government Web
sites.
The Pentagon recently asserted that China is developing
viruses to attack computer systems to obtain electromagnetic
dominance early in a conflict.
The incident formerly classified as Titan Rain suggested
that the Chinese have been coordinating attacks against the
Department of Defense networks for years.
This subcommittee has been holding a series of hearings on
cybersecurity, and it has become very clear the infiltration of
Federal Government networks and the possible theft or
exploitation of our information is one of the most critical
issues confronting our Nation today.
In April, the subcommittee discussed a series of attacks
penetrated by hackers--perpetrated by hackers operating through
Chinese Internet servers against computer systems at the
Departments of Commerce and State. Hackers were able to
penetrate Federal systems and use ``rootkits,'' a form of
software that allows attackers to mask their presence, to send
information back out of our own systems. At the time, I was
critical of the security efforts at both State and Commerce,
but assured them that I would be posing the same kinds of
questions about network security to DHS. Well, that is why we
are here today.
It was actually a shock and a disappointment to learn that
the Department of Homeland Security, the agency charged with
being the lead in our national cybersecurity, has suffered so
many significant cybersecurity incidents in its own networks.
It is equally disturbing that the Department is so slow to
respond to fixing these problems.
DHS reported to the committee that it experienced 844
cybersecurity incidents in fiscal years 2005 and 2006. These
incidents occurred on IT networks at DHS headquarters, ICE,
CBP, FEMA and others. I would like to take a minute to share a
few representative incidents of what I am talking about:
A password dumping utility and other malicious files were
found on two DHS systems.
Computers contained suspicious beaconing activity and an
IRC bot, which is a generic detection for a group of backdoor
Trojan horses that allows a hacker to control the compromised
computer.
Workstations infected with multiple Trojans and viruses.
The user ID and passwords for a local administrator were
found in hard copy.
A Department Web site has been compromised.
Classified e-mails were sent over unclassified networks.
A workstation was infected with a Trojan scanning for port
137, an event that clearly demonstrated individuals attempting
to scan DHS systems through the Internet.
Unauthorized software was installed on an asset that could
allow security settings circumvention.
Unauthorized users had been attaching their personal
computers to DHS networks.
Unauthorized individuals gained access to DHS equipment and
data.
Firewalls had been misconfigured by a contractor to allow
all ICMP traffic to and from the Internet.
And there had been numerous classified data spillages,
according to our reports.
I am going to stop there. Each of these incidents that I
have just mentioned represents a significant security breach.
Some of these incidents are the result of blatant disregard by
DHS IT policy, and I hope that those responsible have been
properly disciplined. But others are reminiscent of classic
attack patterns by formidable adversaries
We saw these exact incidents on State Department and
Commerce Department computers several months ago. These aren't
just my conclusions. In spite of some of the significant
vulnerabilities in its systems, the Department doesn't appear
to be in any rush to fix them.
Now, According to the September 2006 DHS IG report on DHS
information systems, 69 percent of the 3,566 open
vulnerabilities that existed on the Department's networks did
not include the resources required for remediating those
vulnerabilities. In fact, some of the agencies aren't even
reporting incidents to the DHS Computer Security Incident
Response Center, CSIRC, as required by law.
These components apparently don't understand that
vulnerabilities on their individual systems can affect the
entire Homeland Security network. Furthermore, information
provided by DHS suggests that the CIO is failing to engage in
best defense practices that would limit penetrations into DHS
networks. DHS does not conduct rogue tunnel audits, ingress/
egress filtering on DHS personal computers, widespread internal
and external penetrations tests on its systems, audits on IT
contractors. DHS hasn't mandated two factor authentication
across the Department, which would demonstrate what types of
critical vulnerabilities remain on DHS networks. How can DHS be
the Nation's and the government's cybersecurity leader with
this kind of a track record?
The fact is, DHS is failing to dedicate adequate funding to
network security. The finances show that Mr. Charbo and the
Department's leadership continue to underinvest in IT security.
Mr. Charbo cut funding for the chief information security
officer and only slightly increased the IT security budget.
Experts agree that agencies should allocate around 20 percent
of their IT budgets to cybersecurity, and yet DHS is only
spending 6.8 percent to secure their systems. All of this is
happening while the Department's IT budget was increased by $1
billion last year.
Unfortunately, the failure to invest in defensive measures
and mitigate vulnerabilities is jeopardizing the Department's
mission. That is not just my conclusion; that is the conclusion
that the GAO reached in an upcoming report about the IT systems
supporting US-VISIT. GAO will report that these IT systems are
riddled with significant information security control
weaknesses that place sensitive and personally identifiable
information at increased risk of unauthorized disclosure and
modification, misuse, and destruction, possibly without
detection, and place program operations at increased risk of
disruption.
What does all of this mean? It means that terrorists or
nation-states could be hacking Department of Homeland Security
databases, changing or altering their names to allow them
access to this country, and we wouldn't even know that they
were doing it. If we care about protecting our homeland from
dangerous people, we have to care about the security of the
information that we use to accomplish that mission.
I wish that DHS exerted the same level of effort to protect
its networks that our adversaries are exerting to penetrate
them. But as long as this striking and dangerous imbalance
persists, the success of the Department's mission remains in
serious doubt.
Again, I want to thank the witnesses for being here today.
I look forward to probing these critical issues further.
[The statement of Mr. Langevin follows:]
Prepared Opening Statement of the Honorable James R. Langevin,
Chairman, Subcommittee on Emerging Threats, Cybersecurity, and Science
and Technology
Ladies and gentlemen, good afternoon. I thank the
witnesses for appearing before the Subcommittee, and we look forward to
your testimony.
The Internet has brought our friends close and our enemies
closer.
As each day passes, another incident reminds us that our
information and our IT infrastructures are vulnerable to attacks.
Estonia--a technologically savvy country--was brought
to its knees by hackers who took down government websites.
The Pentagon recently asserted that China is
developing viruses to attack computer systems to obtain
``electromagnetic dominance early in a conflict.''
The incident formerly classified as Titan Rain
suggested that the Chinese have been coordinating attacks
against Department of Defense networks for years.
This Subcommittee has been holding a series of
hearings on cybersecurity, and it has become clear to me that
the infiltration of federal government networks and the
exfiltration of our information is one of the most critical
issues confronting our nation.
In April, the Subcommittee discussed a series of attacks
perpetrated by hackers operating through Chinese Internet servers
against computer systems at the Departments of Commerce and State.
Hackers were able to penetrate Federal systems and use
``rootkits''--a form of software that allows attackers to mask their
presence--to send information back out of our systems.
At the time, I was critical of the efforts by both State
and Commerce, but assured them that I would be asking the same kinds of
questions about network security to DHS.
That's why we're here today.
I am disappointed to learn that the Department of Homeland
Security--the agency charged with being the lead in cybersecurity--has
suffered so many significant security incidents on its networks. DHS
reported to the Committee that it experienced 844 ``cybersecurity
incidents'' in fiscal years 2005 and 2006. These incidents occurred on
IT networks at DHS headquarters, ICE, CBP, FEMA, and others.
I will share a few representative incidents:
A password dumping utility and other malicious files
were found on two DHS systems.
Computers contained suspicious beaconing activity, an
IRC bot, and other malware.
Workstations infected with multiple Trojans and
viruses.
The User id and passwords for a local administrator
account were found in hard copy.
A Department website has been compromised.
Classified emails were sent over unclassified
networks.
A workstation was infected with a Trojan scanning for
port 137.
Unauthorized software was installed on an asset that
could allow security setting circumvention.
Unauthorized users have been attaching their personal
computers to the DHS network
Unauthorized individuals gained access to DHS
equipment and data.
Firewalls have been misconfigured by a contractor to
allow all ICMP traffic to and from the Internet.
And there have been numerous ``Classified data
spillages''
I'll stop there. Each of these incidents that I've just
mentioned represents a significant security breach.
Some of these incidents are the result of blatant
disregard of DHS IT policy, and I hope that those individuals have been
properly disciplined.
But other incidents are reminiscent of classic attack
patterns by formidable adversaries--we saw these exact incidents on
State Department and Commerce Department computers several months ago.
In spite of the significant vulnerabilities to its
systems, the Department doesn't appear to be in any rush to fix them.
According to the September 2006 DHS IG report on DHS information
systems, 69% of the 3,566 open vulnerabilities that exist on the
Department's networks did not include the resources required for
remediating those vulnerabilities. In fact, some components aren't even
reporting incidents to the DHS Computer Security Incident Response
Center (CSIRC), as required by law.
These components apparently don't understand that
vulnerabilities on their systems can affect the entire Homeland
Security network. Furthermore, information provided by DHS suggests
that the CIO is failing to engage in defensive best practices that
would limit penetrations into the DHS networks.
DHS does not conduct rogue tunnel audits, ingress/egress
filtering on DHS client personal computers, widespread internal and
external penetration tests on his systems, audits on IT contractors.
DHS hasn't mandated two factor authentication across the Department.
How can DHS be the cybersecurity leader with this track
record? DHS is failing to provide adequate funding to network security.
The finances show that Mr. Charbo and the Department's
leadership continue to under-invest in IT security. Mr. Charbo cut
funding for the Chief Information Security Officer and only slightly
increased the IT security budget. All of this is done while the
Department's IT budget was increased by $1 b last year.
Unfortunately, the failure to invest in defensive measures
and mitigate vulnerabilities is jeopardizing the Department's mission.
That's the conclusion that the GAO reached in a report
that they're about to release about the IT systems supporting US-VISIT.
GAO will report that these IT systems are ``riddled with
significant information security control weaknesses that place
sensitive and personally identifiable information at increased risk of
unauthorized disclosure and modification, misuse, and destruction
possibly without detection, and place program operations at increased
risk of disruption.''
What does this mean?
It means that terrorists or nation states could be hacking
Department of Homeland Security databases, changing or altering their
names to allow them access to this country, and we wouldn't even know
they were doing it. If we care about protecting our homeland from
dangerous people, we have to care about the security of our information
that we use to accomplish the mission.
I wish DHS exerted the same level of effort to protect its
networks that our adversaries are exerting to penetrate them.
But as long as the effort level remains imbalanced, the
success of the Department's mission remains in doubt.
This concludes my opening statement.
Mr. Langevin. And at this time, the Chair now recognizes
the ranking member of the subcommittee, the gentleman from
Texas, Mr. McCaul, for the purpose of an opening statement.
Mr. McCaul. And I thank the chairman for holding this
hearing on the state of information security at the Department
of Homeland Security.
This is an issue of national security, and it is an issue
that I am glad that you brought to the forefront. As we learned
last month, our Federal systems are under attack on a near-
constant basis. Viruses and spam are the least of our worries.
There is evidence that organized, malicious hackers are
targeting government systems, as well as those of government
contractors. These attacks result in a truly frightening
outflow of information from our departments and our Federal
agencies, and the only way to counter these hackers is to
improve our security posture and stay as vigilant and proactive
as possible to counter them.
Unfortunately, outside hackers are not the only threats to
our sensitive information. Malicious insiders, untrained users,
and basic carelessness are also threats to the integrity of our
networks. Information systems have become so pervasive and so
complex that users have become a weak link in the security
chain. End users of our systems need to receive proper security
training, and security policies need to be clear and
responsive.
The Department has had the challenge of putting together 22
different agencies and components, each with its own security
policies and culture. No doubt this is a very tough job. I look
forward to the testimony of Mr. Scott Charbo, the Chief
Information Officer, who will testify on the challenges of
combining the legacy system into a single system, and how he
has designed the security program to protect the Department's
networks and systems. And I hope that the GAO will offer some
constructive criticism and provide workable recommendations for
the Department.
Beyond the operational responsibilities of Mr. Charbo,
there are aspects of the Department's other cybersecurity
programs I would like this subcommittee to investigate.
Specifically, I am concerned that the Department may not be
coordinating their efforts enough with private sector experts,
and am interested to see how the Department has worked with the
private sector to protect the country as a whole.
I would also like to see a report on what the Department
has done and a road map for where it plans to go in the future.
Most importantly, I would like to see, and this is long
overdue, a strategic national vulnerability assessment to be
done on United States cybersecurity. This has never been done.
It is long overdue, and the Nation deserves it, and the Nation
needs this to protect it. I have said it before: I believe an
attack on our information infrastructure could be worse than
the effects of a weapon of mass destruction, and I would hope
the Department would take it just as seriously.
Mr. Chairman, I hope the subcommittee can continue to
assist the Department in its efforts to protect and secure this
country's critical information infrastructure, and I yield back
the balance of my time.
[The statement of Mr. McCaul follows:]
Prepared Opening Statement of the Honorable Michael T. McCaul, Ranking
Member, Subcommittee on Emerging Threats, Cybersecurity, and Science
and Technology
Thank you, Mr. Chairman. I appreciate you holding this hearing on
the state of information security at the Department of Homeland
Security. As we learned last month our federal systems are under attack
on a near constant basis. Viruses and spam are the least of our
worries. There is evidence that organized malicious hackers are
targeting government systems as well as those of government
contractors. These attacks result in a flow of information out of our
Departments and Agencies that is truly frightening. The only way to
counter these hackers is to improve our security posture, staying as
vigilant and proactive as possible in order to take effective action to
counter the effects of these hackers.
Unfortunately, outside hackers are not the only threats to our
sensitive information, malicious insiders, untrained users and basic
carelessness are also threats to the integrity of our networks.
Information systems have become so pervasive and so complex that users
have become a weak link in the security chain. End users of our systems
should receive proper security training which includes basic awareness
and operational techniques to secure the systems they use. Security
polices need to be clear and responsive to the threat involved and
users need to know why they are required to use these ``extra steps''
when they are just trying to get their job done.
The Department has had the challenge of putting together 22
different agencies and components, each with its own security policies
and culture. This includes putting together various facilities that
have been transferred to DHS oversight such as the Plum Island Animal
Disease Center the Department took over from the USDA. No doubt, this
is a tough job.
I am happy to have the Department's Chief Information Officer, Mr.
Scott Charbo, here to testify how he has faced the challenge of
combining the legacy systems into a single system and how he has
designed the security program to protect the Department's networks and
systems. I imagine GAO will offer some constructive criticism and
provide workable recommendations for the Department to work with in the
future to better secure its systems.
Beyond the operational responsibilities of Mr. Charbo, there are
aspects of the Departments' other cybersecurity programs I would like
this subcommittee to investigate. Specifically, I am concerned that the
Department's efforts to secure the country's information infrastructure
are lacking in organization and coordination with the private sector
and experts in the field. While this is beyond the responsibilities of
Mr. Charbo, I am interested to see how the Department has worked with
the private sector to map vulnerabilities and implement mitigation
efforts to protect the country as a whole. I have said it before, I
believe an attack on our information infrastructure could be worse than
the effects of a weapon of mass destruction and I would hope the
Department takes it just as seriously. I am interested to hear about
the coordination role the Department has taken regarding the
vulnerabilities facing the Nation's information infrastructure, from
secure software development to control system protection measures. I
would like to see a report on what the Department has done and a road
map for where it plans to go in the future, including what it hopes to
accomplish with these future efforts.
Mr. Chairman, I hope this subcommittee can continue to assist the
Department in its efforts to protect and secure this Country's critical
information infrastructure.
Mr. Langevin. I thank the gentleman.
The Chair now recognizes the Chairman of the full
committee, Mr. Thompson of Mississippi, for the purposes of an
opening statement.
Mr. Thompson. Thank you very much, Mr. Chairman. And good
afternoon to our witnesses. I appreciate you for holding this
hearing and for your efforts on cybersecurity.
Chairman Langevin touched on the national security
implications of this issue, and I would like to associate
myself with his remarks. But I would also like to focus my
comments this afternoon on a quote by Ralph Waldo Emerson, the
great American essayist and poet, who once said, ``What you do
speaks so loud that I cannot hear what you say.''
Two--months ago Assistant Secretary for Cybersecurity Greg
Garcia spoke at the Computer Associates World Conference in Las
Vegas. There, he told a captive audience several things.
Though security incidents result from exploitation of
defects in software design or code, they are also caused by
users not fixing their configurations to their security
requirements. He also went on to say that security incidents
are also caused by insider problems stemming from poor employee
training, inconsistent access control policy, and fragmented
security implementation and patch management practices.
The Assistant Secretary asked the audience, as he has been
asking audiences all over the country, to perform risk
assessments on their networks; establish security policies
according to risk profiles; invest and upgrade technology
solutions, systems, and training; and continue to test, audit,
and fix systems.
In light of the materials I have reviewed for this hearing,
I think that Mr. Garcia probably should have given that speech
to the folk here in Washington, D.C.
Now, there are a lot of folks over in the CIO's office who
need to hear that message. How can the Department of Homeland
Security be a real advocate for sound cybersecurity practices
without following some of its own advice? How can we expect
improvements in private infrastructure cyberdefense when DHS
bureaucrats aren't fixing their own configurations? How can we
ask others to invest in upgraded security technologies when the
chief information officer grows the Department's IT security
budget at a snail's pace? How can we ask the private sector to
better train employees and implement more consistent access
controls when DHS allows employees to send classified e-mails
over unclassified networks and contractors to attach unapproved
laptops to those same networks?
I am not suggesting that the Department discontinue its
cybersecurity message to the public and private sectors. But
what the Department is doing on its own networks speaks so loud
that the message is not getting across to anyone else.
It is not just the private sector that is getting
doublespeak from DHS. It is the rest of the Federal Government
too. Einstein is the National Cybersecurity Division's sensor
system that analyzes suspicious network traffic. Over a dozen
Federal agencies use this system. Yet the CIO does not deploy
Einstein across the Department. I ask Mr. Charbo today, what
kind of message does that send about the Einstein program? If
it is good enough for other Federal agencies, why isn't it good
enough for DHS?
The ``do as I say, not as I do'' policy is a recipe for
disaster, and if we are serious about the security risks facing
our networks, then we need to start acting and stop posturing.
I have spent some time reviewing Mr. Charbo's responses to our
questions and reviewing the numerous IG and GAO audits of his
work. I am not convinced that he is serious about fixing the
vulnerabilities in our systems; and if he is not committed to
securing our networks, I have to question his ability to lead
the Department's IT efforts.
I can't understand for the life of me why it takes outside
auditors to tell the CIO and his contractors that these
networks are insecure.
The American people are tired of hearing that getting a
``D'' is a security improvement. I am tired of hearing it.
The American people are tired of hearing their government
say one thing but do another.
What happened to leadership? What happened to vision? What
happened to accountability? What happened to excellence?
Mr. Langevin, in light of the evidence in front of us
today, I think the first thing that Mr. Charbo needs to explain
is why he should be able to keep his job.
I thank you for holding this hearing. I look forward to
asking the questions of the witnesses, and I yield back the
balance of my time.
[The statement of Mr. Thompson follows:]
Prepared Statement of of the Honorable Bennie G. Thompson, Chairman,
Committee on Homeland Security
I'd like to focus my comments this afternoon on a quote by Ralph
Waldo Emerson, the great American essayist and poet who once said:
``What you do speaks so loud that I cannot hear what you say.'
Two months ago, assistant Secretary for Cybersecurity Greg Garcia
spoke at the Computer Associates World Conference in Law Vegas. There,
he told a captive audience several things:
Though security incidents result from the exploitation of defects
in software design or code, they are also caused by users not fixing
their configurations to their security requirements. security incidents
are also caused by insider problems stemming from poor employee
training, inconsistent access control policy, and fragmented security
implementation and patch management practices.
The Assistant Secretary asked the audience--as he has been asking
audiences across this country--to perform risk assessments on their
networks; establish security policies according to risk profiles;
invest in and upgrade technology solutions, systems, and training; and
continue to test, audit, and fix systems.
In light of the materials I've reviewed for this hearing, I think
that Mr. Garcia probably should have given that speech to folks here in
Washington, D.C.
There are a lot of folks over in the CIO's office who need to hear
that message. How can the Department of Homeland Security be a real
advocate for sound cybersecurity practices without following some of
its own advice? How can we expect improvements in private
infrastructure cyberdefense when DHS bureaucrats aren't fixing their
own configurations? How can we ask others to invest in upgraded
security technologies when the Chief Information Officer grows the
Department's IT security budget at a snail's pace? How can we ask the
private sector to better train employees and implement more consistent
access controls when DHS allows employees to send classified emails
over unclassified networks and contractors to attach unapproved laptops
to the network?
I am not suggesting that the Department discontinue its
cybersecurity message to the public and private sectors. But what the
Department is doing on its own networks speaks so loud that the message
is not getting across to anybody else.
It's not just the private sector that's double-speak from DHS. It's
the rest of the Federal government too. `Einstein' is the National
Cybersecurity Division's sensor system that analyzes suspicious network
traffic. Over a dozen Federal agencies use this system. yet the CIO
does not deploy Einstein across the Department. I ask Mr. Charbo today,
what kind of message does that send about the Einstein program? If it's
good enough for the other Federal agencies, why isn't it good for DHS?
``Do as I say, not as I do' policy is a recipe for disaster, and if
we are serious about the security risks facing our networks, then we
need to start acting and stop posturing. I've spent some time reviewing
Mr. Charbo's responses to our questions, and reviewing the numerous IG
and GAO audits of his work. I am not convinced that he's serious about
fixing the vulnerabilities in our systems.
And if he's not committed to securing our networks, I have to
question his ability to lead the Department's IT efforts. I can't
understand for the life of me why it takes outside auditors to tell the
CIO and his contractors that these networks are insecure.
The American people are tired of hearing that getting a `D' is a
security improvement. I'm tired of hearing it.
The American people are tired of hearing there government say one
thing but do another.
What happened to leadership: What happened to vision? What happened
to accountability? What happened to excellence? In light of all of the
evidence in front of us, I think the first thing that Mr. Charbo needs
to do is explain to us why he should keep his job.
Mr. Langevin. I thank the chairman.
All the members of the subcommittee are reminded, under the
committee rules, opening statements may be submitted for the
record.
I now welcome our first panel of witnesses. Our first
witness is Scott Charbo, the Chief Information Officer of the
Department of Homeland Security. Mr. Charbo leads the resource
efforts of the information technology assets supporting 180,000
Federal employees at the 22 agencies now comprising DHS.
Prior to joining DHS in June 2005, Mr. Charbo was the Chief
Information Officer at the U.S. Department of Agriculture from
August of 2002. Mr. Charbo holds a Bachelor of Science degree
in biology from the University of Tampa, and a Master of
Science degree in plant science from the University of Nevada-
Reno.
Our second witness, Gregory Wilshusen, is Director for
Information Security Issues at GAO, where he leads information
security-related studies and audits of the Federal Government.
He has over 26 years of auditing, financial management, and
information systems experience. Mr. Wilshusen holds a B.S.
degree in business administration, accounting, from the
University of Missouri, and an M.S. in information management
from George Washington University.
Our third witness is Keith Rhodes, the Chief Technologist
of the U.S. General Accounting Office, and Director of the
Center for Technology and Engineering. Mr. Rhodes provides
assistance throughout the legislative branch on computers and
telecommunications issues and leads reviews requiring
significant technical expertise. Mr. Rhodes holds degrees in
computer engineering and engineering physics from Ohio State
University and the University of California at Los Angeles,
respectively. Mr. Rhodes will be supporting Mr. Wilshusen
during the question-and-answer period. STATEMENTS OF
STATEMENT OF SCOTT CHARBO, CHIEF INFORMATION OFFICER, U.S.
DEPARTMENT OF HOMELAND SECURITY
Mr. Langevin. Without objection, the witnesses' full
statements will be inserted into the record. And I now ask each
witness to summarize their statement for 5 minutes, beginning
with Mr. Charbo.
Mr. Charbo. Thank you, Mr. Chairman, Ranking Member McCaul,
Chairman Thompson, members of the subcommittee, for allowing me
this opportunity to testify.
The Department has implemented numerous changes to improve
and address emerging information security risks and challenges,
while at the same time enhancing information sharing. Key
results include the following:
In 2005, the Department baselined the systems inventory,
which became the cornerstone for managing the risks and
progress within the Department.
In 2006, the plan improved overall security accreditation
and certification compliance from 21 percent to 94 percent of
the Department's systems.
In 2006 and 2007, the Department has used the DHS inventory
and improved security accreditation to help identify the risks
to the Department information systems. We have implemented the
DHS Security Operations Center and the concept of operations
for the SOC. This improved incident handling and reporting
process now provides U.S. better situational awareness of our
information security posture and improved visibility into
component security events.
Since the start of 2007, we have closed 45 percent of the
financial system notifications of findings and recommendations,
findings on our financial systems within the DHS components.
We have three key initiatives that are taking a more
proactive approach to addressing emerging threats in
cybersecurity:
The legacy wide area networks, or WANs, are being collapsed
into a single WAN called OneNet. OneNet has been designed to
enhance security and fully implements the IPSec protocol,
ensuring all traffic on the WAN is fully encrypted and
authenticated.
The Department is standardizing all electronic mail, e-mail
and directory services into a single, secure, modern framework.
The last initiative is to collapse the multiple legacy data
centers into a common, shared and secured environment.
This first phase of the consolidation is up and running,
and the legacy systems are currently being migrated. As I
briefed many of you, a more complete situational awareness
picture of our information security posture now ensures that
our NOC SOC has better enterprise visibility.
Currently, our data from scans, the DHS SOC, and component
reports do not support a position that our networks are
compromised or that missions have been impacted. We will
continue to diligently monitor and adjust to the changing
landscape.
Recently, the GAO completed a review of the information
security controls that protect information and security systems
used to support the CBP US-VISIT program. The audit lasted for
over a year, and many of the findings are based on data from a
year ago. The report identified 45 security weaknesses and
generated 56 report recommendations. CBP replied to the GAO on
June 18th of 2007, with a detailed report, which I will
highlight.
The GAO report did not consider compensating or mitigating
controls, where legacy or technical barriers make a control
impractical to implement. The GAO audit examined the CBP US-
VISIT systems without context of the overall CBP environment,
including the significant upgrades made over the past year.
For example, password protecting the system BIOS data is a
significant technical and operational challenge that is
effectively managed through physical security access
restrictions and proper user training. Although one control may
be deficient at the system level, additional controls exist at
the network or facility level to compensate.
Another example, that an Internet service provider had
unrestricted direct access to the CBP network was not concurred
because the service is staffed by CBP-cleared personnel, with
full field background investigations and access limited via a
dedicated internal connection for the purpose of network
management.
CBP has already taken significant steps towards mitigating
many findings that have been verified by the GAO. This is
missing from the draft report. The majority of network findings
are a direct result of legacy systems still used when CBP did
not have the capability of supporting or enforcing many of the
newer security controls. They must be secured via compensating
controls. These systems are in the process of being replaced.
For example, CBP has completed 50 percent--56 percent of
the Microsoft XP Active Directory and Microsoft Exchange
upgrades. CBP has upgraded 75 percent of its Novell service
from 50 to 6.5, a more secure platform.
Mr. Chairman, my goal as the CIO is to continue the
improvements in the Department's security posture by focusing
on data, the results, and being proactive. For the remainder of
fiscal year 2007, my office will take the following actions:
We are establishing and implementing a configuration board,
chaired by the deputy CIO, the highest career IT official in
DHS.
The board will review and approve all major configuration
changes to the Department's infrastructure that can adversely
impact the security posture, as well as review all significant
DHS SOC notifications.
We will complete the initial round of compliance reviews
for all components that ensure that plans and actions and
milestones, POAMs, are being completed, and weaknesses are
being retired expeditiously.
We will direct, identify, test, and approve for use
standards for removable media devices, focusing on thumb drives
that are compliant with FIPS 140-2.
We will complete analysis regarding the mission impact for
best methods for monitoring secure socket layer connections.
While many challenges lie ahead, we are committed to bring
the right processes, architecture, and resources together to
bring a balanced IT security process to the Department.
I thank you for this opportunity, and would be glad to
address any questions.
Mr. Langevin. Thank you for your testimony.
[The statement of Mr. Charbo follows:]
Prepared Statement of Scott Charbo
Thank you, Mr. Chairman, Ranking Member McCaul and Members of the
Subcommittee, for allowing me this opportunity to testify before the
subcommittee. My remarks will cover the current status of the
Department's information security posture.
You have no doubt heard reports of recent information security
incidents at various federal agencies, including the Department of
Homeland Security. Certainly, we need to increase our vigilance to
ensure that such incidents do not happen again, and, in fact, the
recent loss of an external hard drive at the Transportation Security
Administration has prompted a comprehensive review of how the
Department processes and stores privacy information. My office
continues to work closely with the Department's Privacy Office and the
Chief Human Capital Office to improve the effectiveness of our controls
for privacy information.
The Department takes these incidents very seriously, and will work
diligently to ensure they do not recur. I'd like to describe for you
some of the significant progress we have recently made in improving
information security at the Department. The Department is presently
working under a decentralized IT governance model. We have named CIOs
and attendant IT support staff in each of the major components
comprising the Department. To ensure that this model is effective,
Secretary Chertoff recently instituted changes in the oversight
functions of the Chief Information Officer for the Department. The
revised Management Directive 0007.1 Information Technology Integration
and Management has increased my authority to manage and direct the
Department's information technology programs. Specifically:
1. Components must provide their information technology (IT)
budgets annually to the DHS Chief Information Officer for
review; I will then make recommendations to the Secretary for
final budget submissions to the Office of Management and
Budget.
2. Any proposed IT acquisition greater than $2.5 million must
be reviewed and approved by the DHS Chief Information Officer.
These IT acquisitions are defined as services for IT, software,
hardware, communications, and infrastructure.
3. Before IT investment proposals greater than $2.5 million are
submitted to the DHS Chief Information Officer for approval,
the Department's Enterprise Architecture Board must approve the
investment and certify its alignment with the Department's
enterprise architecture.
4. I approve the hiring of Component Chief Information
Officers, as well as set and approve their performance plans,
ratings, and annual award compensation in cooperation with
component directors.
The result will be a more coherent and effective utilization of IT
resources. IT programs and acquisitions are being reviewed at the
Department-level to ensure that they are reconciled with the
Department's strategic goals and that information security, enterprise
architecture and infrastructure considerations are built into them.
The Department's Information Security Program touches virtually
every aspect of IT management, to include budget formulation and
implementation, system and network design, enterprise and component
specific IT operations, information security policy and architecture,
and compliance with the Federal Information Security Management Act
(FISMA). My authority over all of these areas directly affects our
overall security posture. I would like to mention three key IT
consolidation initiatives that we have started to not only better align
our shared enterprise environment, but to enhance enterprise
information security.
First, we are collapsing multiple legacy wide-area networks (WANs)
into a single enterprise WAN, called OneNet. OneNet is based on a
comprehensive security architecture that uses the latest IT
technologies. For example, the new consolidated WAN fully implements
the IPSec protocol, an authentication and encryption protocol that
ensures the confidentiality of all data transiting the WAN. And, as a
key part of the transition to OneNet, we have also implemented a
comprehensive Security Operations Center (SOC) Concept of Operations
(CONOP). This CONOP details more efficient processes for the day-to-day
management of security functions for OneNet, as well as for reporting
incidents both internally to the SOC, and externally to the United
States Computer Emergency Readiness Team (US-CERT) and other Law
Enforcement and government agencies when required. To aid this effort,
we've created the SOCONLINE Incident Reporting web tool for incident
reporting, management and closure.
Second, we are standardizing all email and directory services into
a single, modern framework that is much more secure than the legacy
environments we inherited. The department had 13 different email
systems when it was formed. We have standardized the Target Enterprise
Architecture for email, deployed a Global Address List and are on track
to transition all components to the new email standards by December of
2007. These improvements will eliminate several security
vulnerabilities in our email posture and simplify its management.
Third, we are collapsing multiple datacenters into a common shared
environment. The first phase of our first datacenter is up and running
in Stennis, Mississippi, and we are now in the process of migrating
legacy systems into that center. Security has been designed into the
Stennis facility from the start and as systems migrate to that facility
our security posture will continue to improve.
These initiatives will not only enhance our ability to store,
process, and share information, they will also enhance our ability to
ensure the confidentiality, integrity, and availability of that
information.
In addition to these three major consolidation activities, I have
also begun another activity in conjunction with the Chief Financial
Officer to enhance the security of our core financial systems. Each
component CIO and CFO jointly presented a detailed remediation plan for
improving the security of our core financial systems; this was done
with the knowledge of both our Inspector General and independent
auditors. These plans were personally approved by me, the Department
CFO, and the Under Secretary for Management. In addition to ensuring
the implementation of these plans, my office partners with the CFO and
his team on other issues. One example of our continuing collaboration
is a series of workshops that my office has sponsored to assist
components in improving the security of these core financial systems.
Due to the combined CIO/CFO efforts, we are now making significant
progress in resolving prior financial audit findings.
It is my responsibility to ensure that our IT systems comply with
all federal and department policies. I now review each component's IT
budget and expenditures as outlined in the Exhibit 53s and 300s and
ensure their alignment in the following areas:
1. The Secretary's goals and priorities;
2. The Department's enterprise architecture;
3. Needs definition and business case alignment;
4. Privacy rules and regulations;
5. Section 508 (Accessible Systems and Technology) compliance;
6. Information security compliance; and,
7. IT infrastructure compliance.
In 2007, the Department will spend approximately $4.9 billion for
information technology, and $332 Million of that is dedicated to IT
security. We have requested $5.2 billion for IT in 2008, and we are
planning to spend $342 Million on IT security. These numbers represent
approximately 6.8 % of the total IT budgets for each of those years.
Last week, I completed reviews for all component-level IT budgets for
fiscal years 2009--2013. These detailed reviews provided me valuable
insights into all areas of the Department's information technology
programs, and it has given visibility into departmental activities in
information technology from strategic mission, portfolio, and
technology perspectives. These reviews will allow me to make informed
recommendations to the Secretary concerning the Department's IT budget
for these future years, while ensuring that all program elements,
especially IT security, are adequately addressed.
On the expenditure side, we are working to make sure our
acquisitions are in line with our requirements for information
security; so far, I have conducted 130 IT Acquisition reviews for
security compliance (as well as enterprise architecture, infrastructure
compatibility, business case maturity, etc.), and I have favorably
adjudicated many issues to ensure that information security
requirements are met in all IT acquisitions.
As part of the process of reviewing and making recommendations for
component IT budgets, I also take into account components' performance
in mitigating their information security vulnerabilities. Included in
this improved Management Directive is the authority to recommend budget
changes in areas where a component's information security posture is
weak. While I have not yet recommended that a component's budget be
modified in response to a lack of success in mitigating
vulnerabilities, I have provided guidance and direction, both
informally and in some cases in writing, to the components that are not
satisfactorily progressing in their remediation efforts, and with
recommended changes.
To ensure compliance with the Federal Information Security
Management Act (FISMA), my Chief Information Security Officer (CISO)
maintains a comprehensive systems inventory of all government-owned and
contractor-managed systems. The Department's Office of Inspector
General has reviewed the inventory methodology and continues to give it
high marks for both completeness and accuracy. DHS's Information
Security Program has made measurable progress, enough that unlike all
previous years the Inspector General's annual FISMA assessment did not
rate it as a significant deficiency in 2006.
System owners, government and contractor alike, are held
accountable for completing all elements of FISMA compliance for each
system. The CISO produces a monthly scorecard, providing each component
with an honest assessment of their status. Each component is provided a
current assessment on status of certification and accreditation for
every system in the inventory, annual controls testing, incident
reporting, configuration management, information security training, and
information security vulnerability management. The scorecards address
the security of internal DHS systems as well as contractor operations.
Additionally, the CISO has teams in place that conduct regular training
and assist visits, with the current emphasis on vulnerability
resolution and configuration management.
I review this scorecard with all component CIOs in regular meetings
set aside for this purpose and we discuss the scorecard at Management
Council at least monthly. I also present this scorecard to the
Secretary and Deputy Secretary periodically, and they in turn emphasize
security with agency heads as appropriate. Most of our components have
made exceptional progress in improving their overall FISMA posture.
Since March 2007, I have written letters to the Directors of three
components pointing out program deficiencies and suggesting ways to
improve.
While the monthly scorecard is the most visible product of the
Department's Information Security Program, there is also a continuing
emphasis on the basic tenets of effective information security with the
understanding that progress in large federal agencies can only be
achieved in increments. The Department's Information Security Program
is in the third phase of its 5-year strategic plan.
In the first phase, the Program focused on ``establishing a
baseline.'' Basic information security policy and architecture were
established and automated tools for enforcing the Department's policy
were implemented. A thorough inventory of the Department's IT systems
was conducted and system owners were identified to ensure
accountability for system security.
In the second phase, the Program focused on completing the
accreditation of its IT systems. The significant goal of documenting
and accepting system risk was accomplished. The implementation of the
FY 2006 Certification and Accreditation (C&A) Remediation Plan
generated a 68 percent increase in the number of systems accredited.
The Department's C&A completion rate went from 26 percent in October
2005 to 95 percent by the end of 2006.
We now have a steady-state baseline from which to build. Our
security policies and architecture are continually updated to respond
to changing federal guidance, evolving missions, and new threats, and
the certification and accreditation process is institutionalized across
the Department. The current and future phases of the Information
Security Program are aimed at incrementally ``raising the bar'', and
our focus is not only on improving the documentation of controls and
processes, but, more importantly on enhancing the operational security
of every system.
To this end, we are now evaluating and improving systems security
profiles at the system level, and, review teams are providing
assistance to Components in improving security plans and contingency
plans, as well as providing assistance in other areas including
configuration management and vulnerability remediation. We currently
have over 4000 IT security related Plans of Action and Milestones
(POAM) active, all targeting weaknesses identified through internal
systems-level reviews, including certification and accreditation and
annual assessments, as well as external audits including those
conducted by our Inspector general and the Government Accountability
Office. So far in 2007, we have completed remediation efforts for over
7000 weaknesses, and all of the weaknesses identified in the recent GAO
Audit of the US-VISIT Program now have active POAMs with scheduled
completion dates by the end of 2007. We have also completed several
tests starting with our most sensitive systems and our Network
Perimeters.
Although we still have a ways to go, we've made measurable
improvements in the management of information security at the
Department. We're not the only ones making this point. The Office of
Management and Budget's (OMB) 2006 Report to Congress noted the
significant progress we've made in certifying and accrediting the
Department's IT systems. I am confident that the DHS Information
Security Program is moving in the right direction and I look forward to
working with you and your staff in the future.
Thank you and I look forward to your questions.
Mr. Langevin. The GAO submitted one testimony for the
record, but we have two witnesses on the panel to answer
questions from the subcommittee. And at this time, I now
recognize Mr. Wilshusen to summarize his statement for 5
minutes. Mr. Wilshusen.
STATEMENT OF GREG WILSHUSEN, DIRECTOR, INFORMATION SECURITY
ISSUES
Mr. Wilshusen. Chairman Langevin, Ranking Member McCaul,
Chairman Thompson, and members of the subcommittee, thank you
for inviting me to participate in today's hearing on
information security at the Department of Homeland Security,
DHS. I am joined by Mr. Keith Rhodes, the GAO's chief
technologist.
Information security is a critical consideration for any
organization that depends on information systems and computer
networks to carry out its mission or business. It is especially
important for government agencies such as DHS, where
maintaining the public's trust is essential.
The Homeland Security Act of 2002 created DHS by merging
components of 22 Federal agencies and components. Each of these
brought with it management challenges, distinct missions,
unique IT resources and systems, and its own policies and
procedures, thereby making implementation and integration of an
effective department-wide information security program a
significant challenge. Today, I will discuss the implementation
of DHS's security program and the effectiveness of computer
security controls for key information systems.
Shortcomings of DHS security programs persist, although
some progress has been made. In 2005, we reported that DHS had
not fully implemented a comprehensive, department-wide program
to properly protect the information systems that support its
operations and assets. For example, the Department did not have
a complete inventory of its systems, and component agencies did
not fully or effectively perform key program activities, such
as developing risk assessments, preparing security plans,
testing and evaluating the effectiveness of security controls,
completing remedial actions from known vulnerabilities, and
developing and testing continuity of operations plans. We
recommended that DHS take specific actions to address these
problems.
Since our 2005 report, DHS has taken steps to improve its
security program. For example, it completed an inventory of its
major systems for the first time in fiscal year 2006. DHS also
implemented key program activities, such as contingency plan
testing, security control testing, and system certification and
accreditation on an increasing percentage of its systems.
However, the quality and effectiveness of these activities was
not assured, and program deficiencies continue to exist. These
deficiencies contribute, Mr. Chairman, to serious computer
security control weaknesses that threaten the confidentiality,
integrity, and availability of key DHS systems.
For example, DHS's independent auditors reported that
security over its financial systems was a material weakness and
internal control for fiscal year 2006.
In addition, GAO determined that key systems operated by
one of DHS's components, the U.S. Customs and Border
Protection, were riddled with control weaknesses and did not
effectively prevent, limit, and detect access to its computer
networks systems and information.
For example, it did not adequately identify and
authenticate users, sufficiently limit access to information
and information systems, properly protect external and internal
boundaries of computer networks, effectively implement physical
security at several locations, or provide adequate log-in or
user accountability for key information technology resources.
As a result, increased risk exists that unauthorized
individuals, internal and external to the organization, could
read, copy, delete, add, and modify sensitive and personally
identifiable information and disrupt service on DHS systems.
We are making recommendations to the Department to help it
address these issues.
In summary, DHS has made some progress in implementing its
department-wide information security program. However,
deficiencies in program activities continue to exist and
contribute to serious control weaknesses. Until DHS and its
components act to fully and effectively implement its security
program and mitigate known weaknesses, they will have limited
assurance that sensitive information and computer systems will
be sufficiently safeguarded or that departmental missions and
goals will be achieved.
Mr. Chairman, this concludes my statement. Mr. Rhodes and I
would be happy to answer questions.
[The statement of Messrs. Wilshusen and Rhodes follows:]
Prepared Statement of Gregory C. Wilshusen
Mr. Chairman and Members of the Committee:
Thank you for inviting us to participate in today's hearing on
information security at the Department of Homeland Security (DHS).
Information security is a critical consideration for any organization
that depends on information systems and computer networks to carry out
its mission or business. It is especially important for government
agencies such as DHS, where the public's trust is essential. For many
years, GAO has reported that poor information security is a widespread
problem with potentially devastating consequences. In reports to the
Congress since 1997,\1\ GAO identified information security as a
governmentwide high-risk issue.
---------------------------------------------------------------------------
\1\ GAO, High-Risk Series: An Update, GAO-07-310 (Washington, D.C.:
January 2007).
---------------------------------------------------------------------------
In this testimony, GAO discusses DHS' department-wide information
Security program and computer security controls for key information
systems. We based this testimony, in part, on our previously issued
reports,\2\ and our draft report--that has been provided to DHS for
review and comment--on computer security controls for certain
information systems operated by the U.S. Customs and Border Protection
(CBP). We also considered our analysis of the department's annual
Federal Information Security Management Act (FISMA) \3\ reports for
2005 and 2006 and the department's performance and accountability
report for 2006. The work on which this testimony is based was
performed in accordance with generally accepted government auditing
standards.
---------------------------------------------------------------------------
\2\ GAO, Information Security: Department of Homeland Security
Needs to Fully Implement Its Security Program, GAO-05-700 (Washington,
D.C.: June 2005) and Information Security: Department of Homeland
Security Faces Challenges in Fulfilling Statutory Requirements, GAO-05-
567T (Washington, D.C.: April 2005).
\3\ FISMA was enacted as title III, E-Government Act of 2002, Pub.
L. No. 107-347 (Dec. 17, 2002) and requires agencies and their
inspectors general or independent external auditors to report annually
on the effectiveness of their security policies and compliance with the
requirements of the Act. GAO, Informaion Security: Agencies Report
Progress But Sensitive Data Remains at Risk, GAO-07-935T (Washington,
D.C.: January 2007) describes the results of GAO's analysis of the 2006
FISMA reports for 24 agencies including DHS.
Results in Brief
Shortcomings in DHS information security program although progress
has been made. In 2005, we reported that DHS had not fully implemented
a comprehensive, department-wide information security program to
protect the information and information systems that support its
operations and assets. For example, the department did not have a
complete inventory of its systems and component agencies did not fully
or effectively perform key program activities such as developing risk
assessments, preparing security plans, testing and evaluating the
effectiveness of security controls, completing remedial action plans,
and developing and testing continuity of operations plans. We
recommended that DHS take specific actions to address these problems.
Since our 2005 report, DHS has taken steps to improve its security
program. For the first time, DHS completed a comprehensive inventory of
its major applications and systems in fiscal year 2006. DHS has also
implemented a department-wide tool that incorporates the guidance
required to adequately complete a certification and accreditation for
all systems and has implemented key program activities such as
contingency plan testing, security control testing, and system
certification and accreditation, on an increasing percentage of its
systems. However, the quality or effectiveness of these activities was
not assured and deficiencies continue to exist.
These program deficiencies contribute to significant weaknesses in
computer security controls that threaten the confidentiality,
integrity, and availability of key DHS information and information
systems. For example, DHS' independent auditors reported that security
over its financial systems was a material weakness in internal control
for fiscal year 2006. In addition, GAO determined that CBP did not
implement controls to effectively prevent, limit, and detect access to
certain computer networks, systems, and information since it did not
(1) adequately identify and authenticate users; (2) sufficiently limit
access to information and information systems; (3) ensure that controls
adequately protected external and internal boundaries; (4) effectively
implement physical security at several locations; (5) consistently
encrypt sensitive data traversing the communication network; and (6)
provide adequate logging or user accountability for the mainframe,
workstations, or servers.
CBP also did not always ensure that responsibilities for system
development and system production were sufficiently segregated. As a
result, increased risk exists that unauthorized individuals, internal
and external to the organization, could read, copy, delete, add, and
modify sensitive and personally identifiable information and disrupt
service on DHS systems.
Until DHS and its components act to fully and effectively implement
its security program and mitigate known weaknesses, they will have
limited assurance that sensitive information and computer systems will
be sufficiently safeguarded or that departmental missions and goals
will be achieved. Implementation of GAO's recommendations will assist
DHS in mitigating the deficiencies described in this statement.
Background
To address the challenge of responding to current and potential
threats to homeland security--one of the federal government's most
significant challenges--the Homeland Security Act of 2002 mandated the
merging of 22 federal agencies and organizations to create the
Department of Homeland Security (DHS). Not since the creation of the
Department of Defense in 1947 has the federal government undertaken a
transformation of this magnitude. Each of the 22 agencies and
organizations brought with it management challenges, distinct missions,
unique information technology infrastructures and systems, and its own
policies and procedures, thereby making the implementation and
integration of an effective department-wide information security
program a significant challenge.
DHS' mission, in part, is to prevent and deter terrorist attacks
within the United States,\4\ reduce the vulnerability of the United
States to terrorism, and to minimize the damage, and assist in the
recovery, from terrorist attacks that do occur.\5\ One of the
department's components, the United States Customs and Border
Protection (CBP), is responsible for securing the nation's borders.
---------------------------------------------------------------------------
\4\ 6 U.S.C. Sec. 113(a).
\5\ 6 U.S.C. Sec. 111(b).
---------------------------------------------------------------------------
Virtually all DHS and CBP operations are supported by automated
systems and electronic data, and the agency would find it difficult, if
not impossible, to carry out its mission and account for its resources
without these information assets. Hence, the degree of risk caused by
security weaknesses is high. For example, resources (such as payments
and collections) could be lost or stolen, data could be modified or
destroyed, and computer resources could be used for unauthorized
purposes or to launch attacks on other computer systems. Sensitive
information could be inappropriately disclosed, browsed, or copied for
improper or criminal purposes. Critical operations could be disrupted,
such as those supporting homeland security and emergency services.
Finally, DHS' missions could be undermined by embarrassing incidents,
resulting in diminished confidence in its ability to conduct operations
and fulfill its fiduciary responsibilities.
According to FISMA, the Secretary of DHS is responsible for
providing information security protections commensurate with the risk
and magnitude of harm resulting from unauthorized access, use,
disclosure, disruption, modification, or destruction of information and
information systems used by the agency or by a contractor on behalf of
the agency. The Secretary has delegated to the DHS Chief Information
Officer (CIO) responsibility for ensuring compliance with federal
information security requirements and reporting annually to the
Secretary on the effectiveness of the department's information security
program. The CIO designated the Chief Information Security Officer
(CISO) to
develop and maintain a department-wide information
security program, as required by FISMA;
develop departmental information security policies and
procedures to address the requirements of FISMA;
provide the direction and guidance necessary to ensure
that information security throughout the department is
compliant with federal and departmental information security
requirements and policies; and
advise the CIO on the status and issues involving
security aspects of the departmentwide information security
program.
Shortcomings in DHS Information Security Program Remain Although
Progress Has Been Made
In 2005, GAO reported \6\ that DHS had not fully or effectively
implemented a comprehensive, department-wide information security
program to protect the information and information systems that support
its operations and assets. Although DHS had developed and documented
policies and procedures that could provide a framework for implementing
the department's program, certain departmental components had not yet
fully implemented key program activities. For example, components'
weaknesses in implementing these activities included (1) incomplete
risk assessments for determining the required controls and the level of
resources that should be expended on them; (2) missing required
elements from information system security plans for providing a full
understanding of the existing and planned information security
requirements; (3) incomplete or nonexistent test and evaluation of
security controls for determining the effectiveness of information
security policies and procedures; (4) missing required elements from
remedial action plans for identifying the resources needed to correct
or mitigate identified information security weaknesses; and (5)
incomplete, nonexistent, or untested continuity of operations plans for
restoring critical systems in the case of unexpected events.
---------------------------------------------------------------------------
\6\ GAO-05-700.
---------------------------------------------------------------------------
The table below indicates with an ``x'' where GAO found weaknesses
with key information security program activities for six systems and
applications reviewed at four components.
The table below indicates with an ``x'' where GAO found weaknesses
with key information security program activities for six systems and
applications reviewed at four components.
Table 1: Weaknesses in Information Security Program Activities for
Selected Systems
----------------------------------------------------------------------------------------------------------------
DHS Risk Security test Remedial action Continuity of
SYSTEM DHS component assessment Security plan and evaluation plans operations
----------------------------------------------------------------------------------------------------------------
Major US-VISIT........ n/a............ X a............ n/a............ n/a............ n/a
applicat
ion
----------------------------------------------------------------------------------------------------------------
Major ICE............. .............. .............. X.............. X.............. X
applicat
ion
----------------------------------------------------------------------------------------------------------------
Major TSA............. .............. .............. X.............. X.............. X
applicat
ion
----------------------------------------------------------------------------------------------------------------
General ICE............. X.............. .............. X.............. ............. X
Support
system
----------------------------------------------------------------------------------------------------------------
General TSA............. X.............. .............. X.............. X.............. X
Support
system
----------------------------------------------------------------------------------------------------------------
General EP&R............ X.............. X.............. .............. X.............. X
Support
system
----------------------------------------------------------------------------------------------------------------
Source: GAO analysis of information
security documentation for United States
Visitor and Immigrant Status Indicator
Technology (US-VISIT), Immigration and Customs
Enforcement (ICE), Transportation Security
Administration (TSA), and Emergency
Preparedness and Response (EP&R) systems.
a For each system, we obtained and
reviewed all documentation contained in
the certification and accreditation package--
with the exception of US-VISIT--in this
case, we reviewed only the security
plan.
We also reported that DHS had not yet fully developed a
complete and accurate systems inventory and used an enterprise
management tool, known as Trusted Agent FISMA, that contained
unreliable data for overseeing the components' reported performance
data on their compliance with key information security activities. The
DHS Inspector General reported that the data in the tool were not
verified, there was no audit trail capability, material weaknesses were
not consistently reported or linked to plans of action and milestones,
and plans of action and milestones that had been identified and
documented were not current.
To assist DHS in addressing these issues, we recommended that it
establish milestones for verifying the components' reported performance
data in Trusted Agent FISMA and instruct its component agencies to
develop complete risk assessments;
document comprehensive security plans;
fully perform testing and evaluation of security
controls;
complete remedial action plans; and
develop, document, and test continuity of operations
plans.
DHS Has Taken Steps to Improve Security Program, but Deficiencies
Persist
In response to our recommendations, the department has made several
improvements in its information security program. For example, DHS
officials stated that they had developed a plan to address all of the
recommendations in our 2005 report. For the first time, DHS completed a
comprehensive inventory of its major applications and general support
systems, including contractor and national security systems, for all
organizational components in FY 2006. DHS also implemented a
departmentwide tool that incorporated the guidance required to complete
a certification and accreditation \7\ for all systems. The completion
of these two tasks eliminated two factors that had significantly
impeded the department in achieving some success in establishing its
security program over the previous two years. In addition, the CISO
revised the baseline information technology security policies and
procedures and mandated that the components ensure that their systems
meet the requirements specified in the DHS baseline configuration
guides.
---------------------------------------------------------------------------
\7\ Certification is the comprehensive evaluation of the
management, operational, and technical security controls in an
information system to determine the effectiveness of these controls and
identify existing vulnerabilities. Accreditation is the official
management decision to authorize operation of an information system.
This authorization explicitly accepts the risk remaining after the
implementation of an agreed-upon set of security controls.
---------------------------------------------------------------------------
With the exception of providing security awareness training to
employees, the department has also implemented key program activities
such as conducting specialized security training, testing and
evaluating controls, testing contingency plans, and certifying and
accrediting systems, for an increasing percentage of its systems or
personnel in FY 2006 (see figure below).
However, the quality or effectiveness of certain information
security program activities has not been assured. Although CBP has made
important progress in implementing the department's information
security program, it has not fully or effectively implemented key
program activities. For example,
Risk assessments performed for systems supporting a
key border protection program did not always fully characterize
risks to the systems;
Interconnection security agreements listed in the
security plan for a key system were not current;
Procedures for testing and evaluating the
effectiveness of security controls were not sufficient and did
not reveal problems with a mainframe computer that potentially
allowed unauthorized users to read, copy, change, delete, and
modify sensitive information;
CBP did not always address significant deficiencies in
a remedial action plan thereby exposing sensitive information
to increased risk of unauthorized disclosure or modification;
CBP did not adequately establish and implement tools
and processes to ensure timely detection and handling of
security incidents; and
CBP had incomplete or out-of-date privacy documents
for systems supporting a key border protection program.
Significant Control Weaknesses Place Sensitive Information and
Operations at Risk
Significant weaknesses in computer security controls threaten the
confidentiality, integrity, and availability of key DHS information and
information systems.
Independent external auditors identified over 130 information
technology control weaknesses affecting the department's financial
systems during the audit of its fiscal year 2006 financial statements.
Weaknesses existed in all key general controls and application
controls. For example, systems were not certified and accredited in
accordance with departmental policy; policies and procedures for
incident response were inadequate; background investigations were not
properly conducted; and security awareness training did not always
comply with departmental requirements. Additionally, users had weak
passwords on key servers that process and house DHS financial data, and
workstations, servers, and network devices were configured without
necessary security patches. Further, changes to sensitive operating
system settings were not always documented; individuals were able to
perform incompatible duties such as changing, testing, and implementing
software; and service continuity plans were not consistently or
adequately tested. As a result, material errors in DHS' financial data
may not be detected in a timely manner.
Although CBP has made progress in addressing security
vulnerabilities, significant problem areas still remain. Certain CBP
systems supporting a key border protection program were riddled with
control weaknesses that placed sensitive and personally identifiable
information at increased risk of unauthorized disclosure and
modification, misuse, and destruction possibly without detection, and
placed program operations at increased risk of disruption. Weaknesses
existed in all control areas and computing device types reviewed.
Deficiencies in controls intended to prevent, limit, and detect access
to information and information systems exposed CBP's mainframe
computer, network infrastructure, servers, and workstations to insider
and external threats, as the following examples demonstrate. CBP did
not:
Adequately identify and authenticate users in systems.
For example, passwords were transmitted over the network in
clear text and were stored using weak encryption.
Sufficiently limit access to information and
information systems. For example, over one thousand users with
command line access could put a program designed to bypass
security rules into a special system library.
Ensure that controls adequately protected external and
internal network boundaries. For example, internal network
traffic was not segregated. Moreover, workstations and many
servers did not have host based firewalls.
Effectively implement physical security at several
locations. For example, CBP did not control access to its
restricted information technology spaces since its physical
access systems were controlled by local authorities.
Consistently apply encryption to protect sensitive
data traversing the communication network. For example, network
routers, switches, and network management servers used
unencrypted network protocols so that files traversing the
network could be read.
Adequately provide audit logging or user
accountability for the mainframe computer, workstations, or
servers. For example, monitoring lists for key operating system
libraries did not capture needed data for all sensitive
libraries in the desired locations.
Always ensure that responsibilities for system
development and system operations or production were
sufficiently segregated. For example, mainframe system
programmers were allowed to access application production data
and developmental staff could access mainframe operating system
libraries. Moreover, developmental staff had update access to
the application production data.
Consistently maintain secure configurations on the
mainframe, applications servers, and workstations we reviewed
at the data center and ports of entry. For example, production
servers and workstations were missing critical operating system
and software application security patches.
As a result, increased risk exists that unauthorized
individuals, internal and external to the organization could
read, delete, add, and modify sensitive and personally
identifiable information and disrupt service on DHS systems.
To assist enhance departmental security, GAO has previously made
recommendations to DHS in implementing its information security program
and is making additional recommendations in two draft reports currently
being reviewed by the department. Implementation of these
recommendations will facilitate improvements in the department's
information security posture.
--------------------------------------------------------
In summary, DHS has made progress in implementing its
departmentwide information security program. However, the effectiveness
of its program is not assured. Deficiencies in key program activities
continue to exist and contribute to significant computer security
control weaknesses that place (1) sensitive information and information
systems at increased risk of unauthorized disclosure, use,
modification, or destruction, possibly without detection, and (2)
agency operations at risk of disruption.
Ensuring that weaknesses are promptly mitigated and that controls
are effective will require senior management support and leadership,
disciplined processes, and effective coordination between DHS and its
components. It also requires consistent oversight from the Secretary of
DHS and the Congress. Until DHS and its components act to fully and
effectively implement its information security program and mitigate
known weaknesses, limited assurance will exist that sensitive
information will be sufficiently safeguarded against unauthorized
disclosure, modification, and destruction, or that DHS programs will
achieve their goals.
Mr. Chairman, this concludes our statement. We would be happy to
answer your questions.
Mr. Langevin. I thank you, Mr. Wilshusen, for your
testimony. I thank the panel for their testimony.
I remind each member that each member will have 5 minutes
to question the panel, and I now recognize myself for 5
minutes.
Mr. Charbo, what we found in terms of staff investigative
work, and also the GAO report, is very disturbing in terms of
weaknesses in security at the Department of Homeland Security.
I want to begin my questioning by asking this:
Several months ago, hackers operating through Chinese
Internet service launched an attack on the computer system at
the Bureau of Industry and Security at the Department of
Commerce. Hackers operating through Chinese Internet servers
also accessed networks at several State Department locations,
including its Washington headquarters and inside the Bureau of
East Asian and Pacific Affairs.
Now, we are familiar with public reports about the
cyberattacks against the Department of Defense that were once
code-named Titan Rain. As I mentioned in my opening statement,
the infiltration of our data is a serious problem. And I want
to know what the Department has done to stop it.
Have you ever requested or received intelligence briefings
about Chinese hackers penetrating Federal networks? And on a
scale of zero to 10, how concerned are you about this threat?
Mr. Charbo. Myself, I have not received an intel brief on
those incidences. We have had an intel brief that was
coordinated through the Federal CIO counsel with OMB through
the support of DOD that did not report directly back to any
evidence within DHS of any incidences from that data. It did
identify other departments, but it did not point back to DHS.
Do we experience scans from foreign countries? We believe
so; we report those. Those are not penetrations. From a scale
of one to 10, it is significant. It would be at a high scale in
terms of a concern.
I believe we do have a decent perimeter for the Department,
where we are trapping things that come through, but none of
those point back to being an orchestrated attack on the
Department.
Mr. Langevin. And the other day we had the chance to go
over this in a meeting that we had, but for the record, have
you ever requested a briefing on those issues?
Mr. Charbo. Sir, I have not; on those specific issues I
have not requested a briefing. We have asked the intel
organizations to come in and do monitoring and reviews, using
some of their skills, on our system. We have done numerous
cases of those.
Mr. Langevin. Mr. Charbo, DHS incident number 2006-09-30
refers to suspicious beaconing activity, or botnets, on DHS
computers. Now this is a common method of attack for
sophisticated hackers to enter into networks and send out
beacons in order to begin infiltrating data.
Have DHS computers ever, quote-unquote, ``phoned home'' to
Chinese servers?
Mr. Charbo. I have not had any data that supports that. We
have a filing within US-CERT. It is important to understand
that the US-CERT incidences that we report, this 800 number,
that is not a penetration. Those are events that we report up
as a data-gathering tool for DHS, for the Federal Government,
for the US-CERT to communicate out.
Of those incidences, they are categorized. You place those
into categories of significance based upon what you believe you
are seeing at the time when you file that report. We had 844 of
those in 2005 and 2006. It varies from ``I lost a laptop'' to
``a phone I lost''; or it was ``something was stolen'' to ``we
find malicious ware that is on a laptop.'' But we are capturing
that as it scanned onto the network. It is very important to
understand that.
Of those events which are bots, we have--I have no
evidence, I have no data that points back that it was actually
phoning back to a Chinese network.
Mr. Langevin. Mr. Charbo, I would also like to discuss DHS
incident 2006-09-041, where a password dumping utility and
other possibly malicious files were found on two DHS systems.
This obviously looks like the work of experienced hackers.
Once hackers are inside the system, they perform what is
known in the industry as a ``rogue tunnel.'' This tunnel allows
them to access the station through a beacon--through a back
door, even when it appears that they have been removed from the
system.
Now, performing a rogue tunnel audit would allow you to
determine whether the hackers are still within your systems. My
question is, if you were concerned about bots on your
computers, experts suggest conducting ingress and egress
filtering on individual client PCs. Yet you report that DHS
does not perform rogue tunnel audits nor does it apply ingress
and egress filtering. Why not?
Mr. Charbo. The question was, do we apply ingress and
egress filters on client PCs. We do not do that.
Mr. Langevin. Why?
Mr. Charbo. We do monitor the edge routers.
Mr. Langevin. Why don't you do that?
Mr. Charbo. Because we monitor the traffic going outside of
our Internet gateway, which is where traffic is leaving the
Department. So we look at data as it revolves around that.
If we do find evidence that there may be something
suspicious happening, if we track something on the network or
something comes in through a USB, which is common, or a laptop
is remotely removed from the network, because they are mobile,
we have people that are out in fields, they won't receive a
patch upgrade.
As it comes back into our environment, that configuration
is now off; we will trap things. If it has collected a virus
that has come in or patches have come into our configuration
controls, that may need to be updated.
So we will trap it at that point within our environment,
and then we remove that. We report those up.
Mr. Langevin. What about the rogue tunnel audits? I think
these sound particularly dangerous, a rogue tunnel on your
system. And obviously it is masked, it is very difficult to
detect; why aren't you performing rogue tunnel audits?
Mr. Charbo. What we do when we identify a password or some
type of a malicious ware is, we do a forensic analysis of that.
That is our mitigation of identifying whether or not there are
further actions that need to be taken or reportings up through
US-CERT or to our NOC SOC.
Mr. Langevin. The Chair now recognizes the gentleman from
Texas for 5 minutes.
Mr. McCaul. I thank the chairman.
Imagine agents of a foreign power breaking into the
Pentagon or the Department of Homeland Security, going into
file cabinets and taking out documents, and they were caught.
That would be front page, Washington Post. Yet we know these
intrusions are occurring in the Federal networks of Federal
agencies.
Some say that September the 11th was a failure of
imagination. We had information that al-Qa'ida did want to fly
airplanes into buildings and into national landmarks. We just
didn't take it seriously. And yet here we are, with the status
of cybersecurity the way it is, knowing what the threat
potentially could be; and I would argue that this Nation is not
taking it seriously.
In order to prevent another devastating attack in the
United States, we need to step up to the plate.
You know, I see there are several routes of intrusions--one
mischief, another one criminal, one espionage, worst case
scenario a terrorist attack to shut down our power grids, to
wreak havoc with our financial systems. There are many ways
that the terrorists could really wreak havoc in this country.
That is what this committee is all about.
I think in order to really be able to evaluate a solution,
we need to understand what the risk really is. And that is why
I have called upon the Department of Homeland Security, and I
hope to work with the chairman in introducing legislation that
would call for a national strategic vulnerability assessment on
U.S. cybersecurity so that we really know what the risk is and
that we know how to deal with that risk.
The private sector needs to be a key piece to that. We have
our Federal networks and then we have our critical
infrastructures in the private sector. Are they properly
protected? Is our Federal Government properly protected?
So my question is, to the panel, maybe more to the GAO, is
this something that is necessary for the security of the United
States, to conduct a national vulnerability assessment on our
U.S. cybersecurity? And in doing so, how would you recommend
that we do that?
Mr. Rhodes. The risk assessment that you are talking about,
risk is a function of threat, vulnerability, and impact. So all
three pieces have to be done.
Yes, there has to be a threat assessment, but there also
has to be a realization of vulnerability, and there has to be
an understanding of impact. No one, certainly not I, certainly
not my colleague, Mr. Wilshusen, is going to say secure
everything, lock everything down. That is impossible. It is
also impossible to have perfect security, but you have to drive
toward zero tolerance on key systems.
What you are driving at, Mr. McCaul, is that you have to
understand what ``key'' means. And the first point is, what is
the threat against the systems you are trying to protect? And
you are absolutely right, it is not just the Federal systems.
It is that 97 percent of the critical infrastructure that is in
private hands. The power grid is not owned by the Federal
Government. The power grid is in private hands. Same with oil.
Same with gas. Same with health care. Same with all of those
systems.
Well, they all fit under that hierarchy of ``critical
infrastructure,'' and unless and until the government is able
to translate to the private sector what the real threat is, the
private sector is not going to be able to take it to the
boardroom and justify it.
So it is important that there is a threat assessment, but
everyone also has to understand, that is one-third of the
discussion. There is threat, there is vulnerability, and there
is impact.
Mr. McCaul. In your report you mentioned centralizing the
Department's information security policy, which would go a long
ways. I think there is a lot of confusion in the Federal
Government as to who is in charge, not only within the Federal
Government, but also in the private sector. Of course, we have
the Department of Homeland Security, and then we have the NSA
and the Department of Defense.
Can you make recommendations on that issue?
Mr. Wilshusen. Well, indeed, you know, with FISMA, which is
the Federal Information Security Management Act of 2002, it
establishes responsibilities for the specific agencies in terms
of what their roles and responsibilities are in implementing
sufficient safeguards within their agencies to protect this
information and information assets.
FISMA also requires that OMB and NIS establish government-
wide standards and policies for implementing security across
the Federal Government. And so those two organizations have a
role in determining what the policies and procedures are that
other Federal agencies are required to follow insofar as it
relates to non-national security systems.
For national security systems, it is a combination of DOD
and the Intelligence Community in coming up with those policies
and procedures for government-wide use of those types of
systems.
Mr. McCaul. Mr. Charbo, do you have any comments on just
lines of authority, clear lines of authority, and how we can
resolve this? Because there is a lot of confusion, in my view.
Mr. Charbo. Within the Department of Homeland Security, we
have two groups that address cybersecurity. There is the
Assistant Secretary for Cybersecurity and Communications,
Telecommunications. They are focused on this issue with
national policies around protecting cyberspace, critical
infrastructure around the cyberthreats.
My focus has been on the systems within the Department. I
do not work on policy, but we work on trying to implement the
policies that are there within our systems and manage towards
more secure space. So if we just--as an example, if we take the
recent FBI bot press release, they reported over a million, a
million bots within the landscape that they had identified on
IP addresses, potentially compromised within the Federal
Government or within the U.S. Of that, there were about 181
that were government, dot.gov's. The majority of these were
edu's, dot.edu's, educational facilities, and dot.com's. The
181, which included the House, the Senate, the Library of
Congress, DHS; we had two IP addresses in that group.
One of those, we had looked at. We believed it was a spoof,
which means our IP address was being used as a return address
from somebody. The other we aren't sure.
As I said, the data--so we are waiting for that. So the
operational roles of trying to implement against policies is
where my office falls.
The Assistant Secretary would look into the issues that you
are addressing. There is a need.
Mr. McCaul. I see my time is up. Thank you.
Mr. Langevin. I thank the gentleman for his questions. The
gentleman from Texas would also be glad to know that as a
result of our first hearing on cybersecurity, the Chair is in
the process of drafting legislation on a national threat
assessment of cybersecurity; and I certainly look forward to
working with you on that legislation.
Before I recognize the gentleman from Mississippi, I also
want to mention it is my intention to go for a second round of
questions.
The Chair now recognizes the chairman of the full
committee, the gentleman from Mississippi, Mr. Thompson, for
the purpose of asking questions for 5 minutes.
Mr. Thompson. Thank you very much, Mr. Chairman.
Mr. Charbo, are you aware of classified e-mails being sent
over unclassified networks?
Mr. Charbo. Yes, sir. It is termed ``spillage.''
Mr. Thompson. Is that considered proper?
Mr. Charbo. No, sir.
Mr. Thompson. What have you done to correct it?
Mr. Charbo. We have a procedure in place for those types of
spillages. It is very closely aligned with our intelligence
organization, our INA group, Intelligence and Analysis.
As we go through our reports that we have gone through for
the spillages, those that were considered significant--without
exception, those were viewed as where somebody who had access
to a secure system had typed an e-mail or made reference to a
secured item, sent that item back to somebody else on e-mail on
an unclassified system, and that person receiving said, I
believe that is a secured breach. So we have a process where we
notify that--we cleanse those systems.
That is then a security issue, who they work with, the
individual, on the breach. Many actions may happen there. It
may be they are--their security clearance is removed. They may
be removed from duty. But at that point it becomes a security
issue with our security officers.
Mr. Thompson. So do you consider these spillages
significant?
Mr. Charbo. They are a significant issue. It is a breach if
not addressed. I believe what we are showing is that we are
addressing those.
This isn't unique to IT. This occurred even when we had no
IT, but there were letters, papers, people wrote books. There
are methods of handling and redacting spillages like this that
go back quite many years.
Mr. Thompson. Mr. Rhodes, do you care to comment on that?
Mr. Rhodes. Any cross-authority communication, that is, any
communication that breaches classification authority is
significant, and it has to be handled. What has to be put in
place is not just personnel. There has to be some control
environment, so that people can't move from one network to
another freely.
It is not--obviously, there has to be a security function
that takes place. It has to be a personnel issue. But having
free access from one side to the other is not--is only going to
foster the problem.
Mr. Thompson. I guess my point is, knowing that you have--
these situations exist, could we not provide some controls to
prevent it for the most part?
Mr. Rhodes. Yes.
Mr. Thompson. And I think that is the point I am trying to
make.
Mr. Charbo, in these spillage instances, can you provide
the committee with how many people have been disciplined in
this process?
Mr. Charbo. I can't at this moment. We can get back.
Our procedure is to refer those to our security office,
because it may be a legal or a law enforcement issue at that
point, so we have to refer those to our security office. And
our intelligence office is involved in that as well.
Mr. Thompson. Well, please provide us with what you have
done on that.
Are you aware of unapproved laptops being connected to our
network?
Mr. Charbo. Yes, sir.
Mr. Thompson. Is that proper?
Mr. Charbo. No, it is not.
Mr. Thompson. What did you do or what have you done to
prevent it?
Mr. Charbo. So the process or the ones that are reported--
Mr. Thompson. Go ahead.
Mr. Charbo. The ones that are reported are where a
contractor in our facilities happens to plug a laptop into a
port. The alarm will go off.
It is important to remember none of those contractors
accessed our network. The alarm will go off. And in the cases
that I am familiar with, we have escorted that individual off
of the premises. Where we have contractors or it is a company
that we have on contract, typically what we also do is follow
up with security training recommendations around enforcing our
policies.
Mr. Thompson. I think part of the issue is whether or not
we are providing enough training for the people. But I am a
little concerned that a contractor could just walk in and plug
up a laptop to a system under any protocol.
Mr. Rhodes, you want to care to respond to that?
Mr. Rhodes. I think one of the problems that you are
describing, the root cause is that contractor staff are so
pervasive.
One of the root causes that we saw to a lot of the problems
at the Department of Homeland Security when we were doing our
testing is that systems are owned and operated by contract
staff; therefore, they have free rein. Yes, an alarm goes off,
but the contractor ultimately is running and operating the
system at hand, and therefore, the contractor can come and go
as the contractor pleases.
Mr. Thompson. I beg the indulgence of the Chair.
Mr. Charbo, were you aware of these security shortcomings
before GAO brought them to your attention?
Mr. Charbo. All of these issues that we are discussing
specific to the Department of Homeland Security are ones that
we report through our Security Operations Center. These are the
ones that we provided to your letter as a request of events.
I don't look at every one of those. I am not aware of every
one of those. I certainly am aware of every one that impacts
the mission. I mean, we have hundreds of these items. What we
do--what I do is, we look across these categories, we review
what incidences are of significance, we address those. We also
take a look at these and determine, how do we need to modify
our policies and change processes within the Department?
Mr. Thompson. And my question is, why did it take GAO to
find the weaknesses rather than your own internal operation?
Mr. Charbo. Sir, GAO didn't point these incidences out to
us.
Mr. Thompson. Not incidents. CBP, the incidences dealing
with CBP.
Mr. Charbo. Oh, I am sorry. In terms of the GAO report,
some of those were POAMs, or Plan of Actions and Milestones
within our reporting processes. Others of these are events that
were not picked up in audits by CBP.
We use GAO and IG also. We don't disregard the comments
that they make.
I do believe that many of the findings in the GAO audit,
since it was done, started over a year ago, many of those
corrections have taken place.
As in my statement it was said, there are also mitigating
controls. In the cases where these employees are working inside
a controlled space, we do background checks on those
contractors. They do operate alongside our Federal employees.
There is also a contracting officer, a program manager, someone
who supervises those employees in that space. So it is
important to know that those are secured employees.
Mr. Thompson. I yield back.
Thank you, Mr. Chairman. You have been very kind.
Mr. Langevin. I thank the chairman.
The Chair now recognizes the gentleman from North Carolina,
Mr. Etheridge, for 5 minutes.
Mr. Etheridge. Thank you, Mr. Chairman.
Mr. Charbo, we have been talking about the importance of
cybersecurity, and I want to know how important you think it is
in the effective operations of DHS's IT resources and how
important you think it is to our national security.
We have talked about, the chairman, how many incidents we
had in 2005 and 2006, and we know about the situations that
happened at Defense and at the Department of State; yet
cybersecurity spending has remained flat or has fallen at DHS,
even as the budget of IT has risen by over 25 percent in recent
years.
The IT security budget was less than 10 percent of DHS's
total IT spending in 2006, less than 7 percent in 2007, when
cybersecurity experts recommended that spending be
approximately 20 percent of the IT budget for security. So my
question to you is this: How do you justify this level of
investment in cybersecurity at DHS?
Mr. Charbo. In terms of the budget for the chief
information security officer, it did reduce in 2005 to 2006.
That was a reflection of our security strategic plan. In 2004,
there was a high incidence of what we call ``boarding
parties.'' This was trying to determine what the inventory was.
The budget presented back for outyears, which is now in
terms of monitoring the progress for security and also on our
Security Operations Center, reflects a flat line. It has been
$15 million for the chief information security officer. That is
for policy and for oversight; it is not for just the for what
we have been putting into the Security Operations Center.
Mr. Etheridge. Let me help you with that, because for 2005
to 2007, 10 million. And it is truly flat. 2006 is 15, 2007 it
is 15.
Mr. Charbo. Correct.
Mr. Etheridge. And yet we see the incidents going up. We
just heard from GAO the problems we have, and yet we aren't
investing in protecting the security--
Mr. Charbo. From 2005 to 2006, it went down. It went up
from 2004 to 2005. That represented our plan, our plan of
identifying the inventory. The budget presented represented a
reduced cost just for monitoring the program.
As far as the Department goes, it has gone up between 2006,
2007 and 2008, not as a percentage, but in dollars.
When I look at a Gartner study--Gartner is a benchmark in
the IT industry--their recommendations are 3 to 8 percent in
terms of IT investment, depending upon your maturity as an
organization. Typically--
Mr. Etheridge. Well, let me interrupt you.
Mr. Charbo. Yes.
Mr. Etheridge. We are talking about maturity of the
organization. We are talking about an organization that is just
getting started, that we are putting investment of America's
security in.
Are you telling me that we are a mature organization?
Mr. Charbo. No, sir.
Mr. Etheridge. You were just quoting the statistics from an
organization that said it was a mature organization.
Mr. Charbo. No, sir, the quote I am using is 3 to 8 percent
from Gartner based on your maturity, 8 if you are not a mature
organization. This is what the study has presented.
We invested in 2006 at about 8.2 percent. We are invested
in 2007 at about 7 percent, 6.8; and we are about that amount
in 2008 as well.
As a total dollar amount, it has gone up. The request from
2006 to 2007, our requests went up about $20 million. Again, in
2008, it went up about $20 million, over a base of $350 million
total in 2008.
Mr. Etheridge. All right. I don't want to spend all my time
on this. It is obvious we are not going to agree.
It is not just the dollars we are spending; it is the
results we are going to get, and I am very concerned about the
results we are getting.
You stated, when the chairman asked you a question earlier
about--that you did not get the classified cyberthreat
assessment briefing from the Intelligence Community, describing
national and State activities.
My question is, why did you not request these briefings?
Mr. Charbo. You don't know what you don't know, sir. You
know, I did not request the briefing because I was not aware of
that event, that there were briefings going on that they were
providing.
Mr. Etheridge. Why?
Mr. Charbo. I can't tell you that.
Mr. Etheridge. It seems to me that is an important part of
what we are trying to figure out.
Mr. Charbo. It is. And as we have briefed the chairman,
that is an effort that we would appreciate some help on.
Mr. Etheridge. Isn't that part of leadership?
Mr. Charbo. It is. That is why we are requesting some
support in that area.
The first intel briefing that we had on these issues came
from a Federal CIO counsel with OMB. I think that most Federal
CIOs are in need of that information, and that is an effort
that I think the committee can help with. And we are anxious to
support that.
Mr. Etheridge. Mr. Chairman, your indulgence. I want to
touch one other area, because I think we are into a serious
area here.
In view of the recent upticks in cyberattacks across the
government systems that we have been talking about, have you
requested that DHS conduct a risk assessment--we have talked
about it already--to determine what your overall vulnerability
is? And why haven't we done it, I guess is the big question.
Mr. Charbo. At DHS every system goes through a
vulnerability assessment as a part of our FISMA, a part of our
certification accreditation.
In terms of our major communication networks, our TS
networks, our top secret networks, our security networks, our
unclassified networks, we have had additional support come in
from intelligence agencies to look for additional
vulnerabilities in those. Some of those have been completed,
some of those we will continue to do. We have some that are
scheduled that will continue.
Mr. Etheridge. Thank you Mr. Chairman. I yield back.
Mr. Langevin. I thank the gentleman for his questions.
The Chair now recognizes the gentlelady from California,
Ms. Lofgren, for 5 minutes.
Ms. Lofgren. Thank you, Mr. Chairman.
Obviously, there are many, many issues that we will want to
be consistently following up on with the Department from the
GAO report. And I appreciate your holding this hearing today,
and the participation of all the witnesses. I want to just
spend a very brief time exploring the US-VISIT issue.
Mr. Wilshusen or Mr. Rhodes, can you give us what you found
in terms of US-VISIT in cybersecurity? Can you tell us some
details of what you found there?
Mr. Rhodes. Ms. Lofgren, let me--I want to be careful of
the detail, because obviously I don't want to give the--
Ms. Lofgren. Don't say anything that you shouldn't say in
public.
Mr. Rhodes. Right. Right. The security issues are
pervasive.
There are three parts to this discussion. One, the security
issues are pervasive. As a matter of fact, I realize the
statement continues to be made that our audit is a year old.
It is not a year old. It started a year ago; the findings
are not a year old. As a matter of fact, we curtailed our
assessment of the systems because we just kept getting more and
more findings. If we had continued to this day, I would argue
that we would still be finding things in the environment.
The problems were pervasive, the problems were systemic. It
was not a matter of one system here, one system there, one
problem here, one problem there. Problems were across the
board.
The second point I would make is that actually a lot of
those problems can be fixed. They were functions of bad
configuration or systems out of date, which is another reason
that I say that the problems are systemic, in that, in a lot of
ways, they are zero-cost fixes. They are a matter of
reconfiguring the system to meet your requirements.
The third point, I reiterate what I said earlier, the
systems are run by contractors.
Ms. Lofgren. No, I got that.
Mr. Rhodes. All right. So those are the three--
Ms. Lofgren. I wonder, could you, Mr. Charbo--we do have a
contractor responsible for US-VISIT security, don't we? Could
you get us a copy of that contract so we could take a look at
that?
Mr. Charbo. Yes.
Ms. Lofgren. I appreciate that. On the--back on the US-
VISIT, I will ask this, because if it happened, the
perpetrators already know that it happened.
Was the database hacked, do you think, Mr. Rhodes?
Mr. Rhodes. Was the database hacked? I did not see controls
in place that would prevent it. And I did not see defensive
perimeters, or I did not see detection systems in place that
would let you know whether it had or had not.
Ms. Lofgren. I will just close.
This morning there was a hearing on US-VISIT and the exit
portion, and I had another meeting to go to when our
chairperson, Congresswoman Sanchez, asked Mr. Mocny and Mr.
Jacksta about the GAO report and cybersecurity issues relative
to US-VISIT. And I understand from staff who were--that they
were surprised at the findings, and were unable to comment on
them.
So I would just ask that, as part of your exiting here, you
make a special outreach to those two individuals on this. This
is oriented not towards--I mean, we need to improve this
situation, especially since much is riding on this. And perhaps
we will get the details in a more appropriate setting from the
GAO on the details of the exposure and risk, because this is
obviously something that we will want to deal with in an
expeditious basis.
And I thank the chairman for recognizing me.
Mr. Langevin. I thank the gentlelady for her questions. As
I said, we are going to go for a second round of questions.
Mr. Charbo, Chairman Thompson mentioned the Department's
problem of saying one thing and doing another. He mentioned the
Department's failure to implement Einstein, the National
Cybersecurity Division's sensor system that analyzes suspicious
network traffic, even though the US-CERT is trying to get other
agencies to sign on.
Now, another failure is auditing. DHS has contracts with
two clouds to provide service to the Internet, that's Sprint
and MCI. With so much traffic coming in and out, these clouds
are keeping good traffic in and bad traffic out. Unfortunately,
we see in one of your incident reports one of the carriers
misconfigured the firewalls and allowed the firewalls to be
bypassed.
Now, despite this security breach, DHS has never audited
the Sprint cloud. In fact, you told the committee that
Assistant Secretary Garcia's shop, the National Cybersecurity
Division, should be the one to audit the cloud. Yet, when the
committee staff contacted NCSD, they said that not only have
they never seen--never been asked to conduct such an audit, but
that this should be handled by the CIO's office.
So my question to you is, whose responsibility is it to
audit these clouds and why has it never happened before?
Mr. Charbo. Sir, the responsibilities to us go out to the H
router. Those contractors that we have from that carrier, who
were administering those, did misconfigure a router. We caught
that. We identified that. We changed that. Those were the same
cleared employees that--employees we have on staff.
In terms of auditing the carrier clouds, you know, that is
essentially auditing the Internet. I do believe that is a
larger policy goal than just a Federal CIO's role at DHS or any
Federal department. As we discussed, I do think that is an area
that could be addressed or should be addressed on a broader
scale than just every CIO in the Federal space trying to audit
their carriers. There is a contractual issue in that.
Mr. Langevin. You had a direct breach there. There should
have been an audit conducted of the cloud. Isn't that--wouldn't
that be your responsibility?
And also, how long was that vulnerability open? Do you know
how long that vulnerability existed?
Mr. Charbo. I would have to get back to you on that.
Mr. Langevin. That is disturbing. That is disturbing.
Mr. Charbo, the DHS runs three local area networks, LANs A,
B, and C. When was the last time you updated your network
topology diagram with a focus on how the unclassified systems
connect with the classified systems?
Mr. Charbo. I would have to get back to you on that, sir,
in order of--the exact date of the update of the topology. We
have provided the committee with several diagrams of that
topology. I would have to get back to you on any recent
changes.
Mr. Langevin. Mr. Wilshusen or Mr. Rhodes, if the network
topology is incomplete, how can you be certain that your
classified networks aren't touching your unclassified networks?
And if hackers have infiltrated LAN A, can they have access to
other networks within DHS?
Mr. Wilshusen. I would say you probably can't be certain
whether or not those two networks interconnect if you don't
have a list or know all of the interconnections that affect
those networks. So the possibility exists. And so certainly
that is a key step.
And, in fact, one of the first steps in developing an
inventory of your systems and networks is to identify all the
interconnections that exist on those networks. So that
certainly is a key point of that.
And I would just like to add one thing: Regarding the
previous question, we have reviewed, as part of the request,
the cloud, if you will, as part of our review of CMS's
communication network. And this is what the Centers for
Medicare and Medicaid Services, where we looked at the security
over the communication network that was contractor-owned,
contractor-operated, and identified a number of vulnerabilities
that we were able to report on and make recommendations to CMS.
And the benefit of that was that CMS took immediate, aggressive
action to start implementing those recommendations.
Mr. Langevin. So you would disagree with Mr. Charbo's
statement that auditing that cloud would be like auditing the
Internet? You are saying that it could be done and it should
have been done?
Mr. Wilshusen. I am saying there is some benefit to doing
so. And we did that on the incidents with CMS.
Mr. Langevin. Mr. Rhodes, do you have anything to add?
Mr. Rhodes. Just to reiterate that we did audit the cloud.
Now, we audited the portion of the cloud that was within the
scope of the requirement from CMS, but we did audit it. So it
can be done.
Mr. Langevin. Thank you.
The Chair now recognizes the gentleman from Texas, the
ranking member of the subcommittee, for 5 minutes.
Mr. McCaul. Thank you. And I want to follow up on your
mention of a national strategic vulnerability assessment. I
think in light of the testimony it is clear that we need to go
forward with that.
I want to follow up on something my colleague, Mr.
Etheridge, brought up, and that is the Titan Rain. We had
evidence that the Chinese were hacking into our networks at the
Department of Defense, at the Commerce Department, State
Department, extensive--hitting nonclassified networks, thank
God. But that raises some serious concern in terms of the
coordination across all Federal levels.
If Mr. Charbo, who is in charge, as the Chief Information
Officer, is not aware of that threat, it highlights the problem
that we have that no one is really in charge across all Federal
levels when you don't have one person in charge. And the
coordination piece becomes very important.
Mr. Charbo, I understand none of these intrusions actually
hit the Department of Homeland Security, which is probably
presumably why you were not briefed on this issue?
Mr. Charbo. I believe so.
Mr. McCaul. Okay.
Mr. Charbo. I believe so.
Mr. McCaul. Have you been briefed since then?
Mr. Charbo. Briefed on Titan Rain?
Mr. McCaul. Right.
Mr. Charbo. I don't believe specifically. I believe it was
a sanitized brief.
Mr. McCaul. Were any of your superiors at higher levels
briefed on this?
Mr. Charbo. I couldn't comment on that.
Mr. McCaul. Do you see that as a deficit? It seems to me if
this is going on, that there needs to be some sort of
coordination across particularly the national security-related
agencies that this is happening and in order to better protect
our Federal Government from these intrusions.
Mr. Charbo. I agree. I think from my perspective more in-
depth intel briefs would be a benefit so that we can react to
the situations. As I said, our data comes from what we report
through to the US-CERT. We get information back from the US-
CERT. That would be our conduit for a lot of these intel
briefs. We adjust our systems accordingly from those briefs.
I am trying to establish a regular intel brief for the CIOs
within components of the Department to specifically address
that issue.
Mr. McCaul. I appreciate the challenge you have in your
position. It is an enormous one.
Can the Government Accountability Office tell me, this
obviously exposes, in my view, a huge vulnerability not only
that a foreign government was hacking into major network
systems at the Federal level, but also the lack of
communication coordination briefings with the Department of
Homeland Security in this case.
Mr. Wilshusen. I would like to just add to that in terms of
there is an organization called the US-CERT which is
responsible for collecting and analyzing threat assessments and
incidents that occur throughout the Federal Government, and, of
course, the agencies are responsible for providing that
information to US-CERT. In fact, GAO, we asked for and received
a briefing from US-CERT on some of the incidents that you are
referring to, particularly with Titan Rain. And so they had the
information, and we were able to get some information about
that, which helps us to better assess the threats that are out
there when we definitely develop our audit programs.
Mr. McCaul. Mr. Rhodes, any comment?
Mr. Rhodes. I would just say that, yes, there is difficulty
in cross-communication. That is why there is a large effort in
information sharing, and that what I would convey is that it
seems to me that basic curiosity should be driving everyone
about their environments. All you have to do is pick up--it is
an unclassified document, it is called Unrestricted War. That
tells you who your opponent is and tells you how your opponent
is coming after you.
Currently there is information about attacks against Italy.
Recently there were attacks against Estonia. Prior to that you
can just--it doesn't necessarily need to be a decoder--ring--
level, supersecret brief in order to understand what is above
the fold on the front page of the Washington Post.
Mr. McCaul. Just one last point, Mr. Chairman, and that is
to follow up on what you are saying, and in my first question
talking about the threat posed by al Qaeda and airplanes and
not being taken seriously, we clearly have a threat here with
cybersecurity. Do you believe that we are not taking this issue
as serious as we should?
Mr. Rhodes. My concern is that I don't think people
understand that the virtual and the physical world are
intersecting every day and becoming more and more intertwined.
If we cannot secure systems that are holding information
because we do not understand the value of that information, if
we can't do the risk assessment based on threat vulnerability
and impact, then when the power grid is completely automated,
when the oil and gas is completely automated, we will have a
very, very serious problem on our hands, because we do have
opponents, and they are dedicated.
Mr. McCaul. Thank you, Mr. Rhodes.
Mr. Langevin. The Chair recognizes the Chairman of the full
committee Mr. Thompson.
Mr. Thompson. Thank you very much, Mr. Chairman.
Let me at the outset of my questions say that I am real
troubled by a statement Mr. Rhodes said that they basically
stopped looking at a program because every time they look, they
kept finding weaknesses.
Mr. Charbo, I hope you are as equally troubled, too, about
that statement from a security standpoint, that basically you--
the GAO stopped looking because I would assume that every time
they looked, they found a vulnerability. And the fact that we
have a private contractor who we will get to contract who is
supposed to, I would assume, prevent these things from
happening; have you put this contract on notice that their
performance is less than stellar in this particular arena?
Mr. Charbo. Sir, we just received the draft. CBP just
commented to the GAO 2 days ago. So there has not been any
contractor placed on notice.
Mr. Thompson. Well, then are you prepared to tell the
committee that based on what GAO found as vulnerability and
weaknesses, that you already knew about those vulnerabilities
and weaknesses?
Mr. Charbo. No, sir, I am not prepared to say I already
knew about those vulnerabilities and weaknesses. We will sit
down with CBP and go through these, as we typically do, go
through these and address the contractor issues.
Mr. Thompson. Mr. Wilshusen, is it standard operating
procedure for a department to contract out its IT security; and
if it is, what is the oversight back to that agency if it is
contracted out?
Mr. Wilshusen. I believe more and more agencies are indeed
contracting out IT services, including IT security for certain
aspects of that, to include network monitoring and actually
administering systems. But it is incumbent upon the agency, and
it is required under law that the agency take appropriate
oversight measures to ensure that the contractor is applying
the appropriate security safeguards and adhering to the
agency's own information security policies and procedures.
Under FISMA, the agency is responsible for assuring that
the contractor is adequately securing the systems and
information that it operates on behalf of the agency.
Mr. Thompson. Mr. Charbo, have you certified FISMA
compliance with respect to this contract?
Mr. Charbo. I don't certify FISMA compliance. According to
FISMA, the business owner of the system certifies that system.
Mr. Thompson. To who?
Mr. Charbo. Certifies it to the Department, essentially to
me. We monitor that, go through and audit those.
Mr. Thompson. Can you provide this committee with those
certifications?
Mr. Charbo. I can provide that.
Mr. Thomas. Well, as whether or not you accepted the
certifications?
Mr. Charbo. Correct.
Mr. Thompson. Yield back.
Mr. Langevin. Thank the gentleman.
The Chair now recognizes the gentleman from North Carolina
Mr. Etheridge for 5 minutes.
Mr. Etheridge. Thank you, Mr. Chairman.
Mr. Charbo, earlier my colleague who had to leave, Ms.
Lofgren, was asking GAO some questions as it related to
Homeland Security's database, so let me give you a chance to
comment, because the question dealt with US-VISIT and the
Department's security database, whether or not terrorists or
nation states could get into that and change or alter their
names and allow them access to this country. And we wouldn't
even know that they were doing it, rendering our watch list or
our visa tracking protocol useless. When time ran out, you
didn't have a response. Did you have a response to GAO's
findings on that report?
Mr. Charbo. The GAO report addresses a CBP system. As we
stated in our testimony, there are other controls placed around
that system, and there is no evidence that any of those
incidents you stated have occurred on that system.
Mr. Etheridge. So you are saying that the US-VISIT
database, to your knowledge, has not been hacked by outsiders?
Mr. Charbo. Correct.
Mr. Etheridge. Let me return to my friend from GAO. Did any
of your--Mr. Rhodes--any of the information from the GAO's
study indicate any intrusion in the US-VISIT by any outsider?
Mr. Rhodes. We did not have any direct evidence of
intrusion; however, we did not see controls in place that could
prevent it, and we did not see detection systems in place in
key areas that would have detected it had there been
intrusions.
Mr. Etheridge. So let me reframe my question then. What you
are saying is that if someone were smart enough to get in, they
could conceivably get in, get out, and never know they had been
in.
Mr. Rhodes. They might have, sir.
Mr. Etheridge. Let me ask you another question. You
mentioned earlier that a low-cost fix to some of the security
problems that you found in the US-VISIT system could be done.
Mr. Rhodes. Yes, sir.
Mr. Etheridge. How quickly could they be done, and how long
would--how long would it take to get them done, and how
complicated is it to do them?
Mr. Rhodes. The complicated part is figuring out the value
of the system and how much security has to be in place. That is
a policy analysis. I can't give you that. Once that is
established, however, some of these fixes could be done in an
extremely short period of time, a matter of days. This is not
weeks or months or years to try and fix things.
When I talk about low cost and reconfiguring a system, I am
talking about the time it takes for someone to come in and put
a new computer on your desk in your office.
Mr. Etheridge. Mr. Charbo, let me go back to my original
question again, because it seems to me, if I am understanding
what I am hearing--so if I am incorrect in what I am picking
up, please correct me, because I don't know a great deal about
it, but I do know this is a very vulnerable area potentially.
Is there a reason why we haven't done this?
Mr. Charbo. As an example of one of the controls that--in
the U.S. GAO report on CBP and VISIT is that there is no
encryption on the local area network. However, we encrypted the
traffic going outside of that network, so there is an
encryption control as a mitigating control, plus we do
background checks on those employees and contractors that are
in that area.
And all of these cases in establishing risk, you look at
mitigating controls. If there are some quick, easy
configuration control fixes to put in place, we would like to
sit down with GAO and understand what those are to implement
those.
Mr. Etheridge. Would you mind doing that before you leave
today, start that process?
Mr. Charbo. We have their findings; we have sat down with
them.
Mr. Etheridge. Have you already done that?
Mr. Charbo. I have not. CBP has, US-VISIT has. Their
security people have sat down and reviewed the findings, et
cetera.
Mr. Etheridge. I would encourage that, because it seems to
me that that is a good starting point. Whoever is in charge
ought to be knowing what is happening, if I might suggest that.
Mr. Rhodes. Mr. Etheridge, may I just add one?
Mr. Etheridge. Please.
Mr. Rhodes. Some of these fixes have been made in the time
since we made them.
Mr. Etheridge. Thank you.
Mr. Rhodes. Some were severe enough that we wanted them
fixed right then. But some of them we are in the process of
negotiation, because as Mr. Charbo says, he has had the report
only a short time.
Mr. Etheridge. In light of that, Mr. Chairman, could we ask
that--because I think this is a very critical area, it is a
highly vulnerable area--that, Mr. Charbo, if you would please
let this committee know as this moves and when these are fixed?
Mr. Charbo. Yes, sir.
Mr. Langevin. I thank you.
Mr. Etheridge. Mr. Chairman, I yield back.
Mr. Langevin. I thank the gentlemen.
We can clearly go on all afternoon with questions. I am
going to ask one final one, and there are several that the
committee will have for the panel in follow-up, and we would
ask that you get back to us as quickly as possible in writing.
Mr. Langevin. Mr. Charbo, one of your goals that you
provide to the committee is 100 percent FISMA compliance, yet
we have heard time and again that FISMA compliance doesn't
equal security. Many IT security commentators have said that
you can't correlate between the grade an agency receives and
the true level of security within that agency.
How important is getting an A to you on the FISMA scores,
and why isn't your primary focus on securing your own networks
and mitigating the vulnerabilities that exist within the
networks?
Mr. Charbo. Sir, FISMA is a law that we are obligated to
follow. I mean, if you want to make it a paper process,
certainly I believe an organization can make it just a paper
process. That is not the case at DHS. FISMA does not require us
to stand up a security operations center, as we have reported
to the committee with all the actions that happen within the
Department. That was an initiative that the Department took,
that the CIO's office took, or Chief Information Security
Officer took.
So that is where we really believe we are trying to bridge
and make FISMA operational. Certainly I do believe it can be
just a paper process, but that is not the case at DHS. Our plan
of action is in milestones and are very critical in terms of
understanding the configuration controls. A lot of the
questions have been directed today at how we are going to
mitigate those and turn those into operations.
Mr. Langevin. With respect to those POAMs that you have
raised, there are a significant number of those POAMs that have
not yet been completed and not been addressed. Why is that it.
Why is the number so high in terms of POAMs that are
unresolved?
Mr. Charbo. There is a high number, but there have been a
high number that have been resolved. The nature of those POAMs
is to continuously review the risks, the security postures of
your systems, and make a plan of action to mitigate that
weakness. There will always be POAMs in the Department if we
are doing this correctly and not making it just a paper trail.
Mr. Langevin. Just to quantify, there are, according to the
report, 69 percent of the 3,566 open vulnerabilities that exist
on the Department's networks, and they did not include the
resource to require for mitigating those vulnerabilities. That
is a significant number that is still unaddressed, and I hope
you are going to get to it.
Mr. Charbo. In most of those cases, we address mitigating
controls.
Mr. Langevin. I want to thank the panel for their testimony
today. Again, several times during the hearing you stated that
you will get back to us with questions that we had. We will
hold you to that. And we ask that you respond as expeditiously
as possible in writing to further questions that the committee
will have for you.
I want to thank the panel for their testimony today. It has
been very valuable. Thank the Members for their questions, and
hearing no further business, this subcommittee now stands
adjourned.
[Whereupon, at 3:50 p.m., the subcommittee was adjourned.]
APPENDIX: Additional Questions and Responses
----------
Questions from Hon. Bennie G. Thompson
Responses from Scott Charbo
It is my pleasure to provide the following responses to your
committee's May 31, 2007 follow-on request for information concerning
the Department of Homeland Security's (DHS) information technology
security policies and procedures (Attachment 1).\1\*
Question 1.: The network topology diagram provided to the Committee
is Incomplete. Please provide the full network topology diagram.
Response: Please find the attached Department of Homeland Security
(DHS) OneNet topology diagram. The diagram represents the Department's
current infrastructure and details OneNet, DCN, and the Component
Connectivity (Attachment 2).\1\* A second diagram shows the
Department's A LAN (Attachment 3).\1\* Additional topology diagrams
will be provided to your office by Tuesday, June 19, 2007.
Question 2.: Has the Department identified any security Concerns as
it moves forward with the proposal, and, if so, what plans are in place
to remedy any vulnerabilities prior to convergence of any networks.
The OneNet project is currently managed by the DHS Infrastructure
Transformation Program (ITP) within the Office of the Chief Information
Officer (DHS CIO). Infrastructure Operations, also an office within the
DHS CIO organization, is responsible for the ITP, and provides ongoing
assurance that security controls are duly executed in with Chief
Information Security Officer (CISO) policies acts as the OneNet
Designated Accrediting Authority (DAA).
The OneNet Certification and Accreditation was completed during the
implementation stage and achieved anacceptable risk posture in January
2007. An Authority to Operate (ATO) was subsequently issued and
residual vulnerabilities, discovered during the accreditation security
testing and evaluation (ST&E) process, were entered into the system's
Plan of Actions and Milestones (POAM), provided as Attachment 4.\1\*
POAM items are being addresesed in accordance with DHS 4300A Attachment
H, Plans of Actions and Milestones process Guide, provided as
Attachment 5.\1\*
The following program issue is being addressed by the DHS CIO in
partnership with the DHS service provider, U.S. Customs and Border
Protection (CBP).
During the accreditation security testing and evaluation process,
we assessed that the security control for audit collection, retention,
review, and management was not in place. Customs and Border Protection,
responsible through the ITP Charter for One Service Delivery, is fully
aware of the audit deficiencies and has a high level security project
plan to correct them. The lack of audit management does not pose a risk
to the Component Agencies, neither currently nor when they have
complete network convergence. Nonetheless, successfully addressing this
issue provide the Department with indicators as a security assurance
measure that the network has the appropriate security and operational
administrative control procedures in place.
Questions 3.: Please provide a list of all mitigation actions
tracked within the Department's Trusted Agent FISMA(TAF) tool,
including the name of the component, date of assignment, scheduled
completion date, mitigation action, and completion date.
Response: A Department-wide is provided in Attachment 4.
Question 4.: Please provide a list of all vulnerabilities that are
recorded and tracked within the TAF Plan of Action and Milestone
folder, including the name of the component, date of assignment,
scheduled completion date, mitigation action, and completion date.
Response: A Department-wide is provided in Attachment 4.
Question 5.: During a meeting with the Committee staff, you stated
that you are authorized to reduce funding to agency components that do
not mitigate their vulnerabilities in a timely fashion. Please provide
a list of funding reductions or recommendations for funding reductions
that you made to Secretary Chertoff. Please also provide a narrative of
Secretary response to your recommendations.
Response: During the meeting with the Committee staff, the response
to the question of the Chief Officer's authority and how he can
influence a component's progress was answered in three parts by the
Chief Information Officer. To clarify, the Chief Information Officer
can make recommendations to the Secretary for budget reductions, but he
cannot reduce budgets himself. This three part answer was based on the
Secretary's changes to Management Directive 0007.1, Information
Technology Integration and Management. Additional information follows:
Secretary Chertoff recently instituted changes in the oversight of
the Chief Information Officer for the Department of Homeland Security
DHS published a revised Management Directive 0007.1 in March 2007,
improving the ability of the Chief Information Officer to manage and
influence the Department's information technology programs. Included in
these changes were:
1. Components must provide their information technology (IT)
budgets annually to the DHS Chief Information Officer for
review; I will then make recommendations to the Secretary for
final budget submissions to the Office of Management and
Budget.
2. Any proposed IT acquisition greater than $2.5 million must
be reviewed and approved by the DHS Chief Information Officer.
IT acquisitions are defined as services for IT, software,
hardware, communications, and infrastructure.
3. Before IT investment proposals greater than $2.5 million are
submitted to the DHS Chief Information Officer for approval,
the Department's Enterprise Architecture Board must approve the
investment and certify its alignment with the Department's
enterprise architecture.
4. The DHS Chief Information Officer will approve the hiring of
Component Chief Information Officers, as well as set and
approve their performance plans, ratings, and annual award
compensation.
As part of the process of reviewing and making recommendations for
component IT budgets, I also take into account components' performance
in mitigating their POAM vulnerabilities.
Included in this improved Management Directive is the inherent
ability to influence the budget in areas where a component's
information security posture is weak. While I have never recommended
that a component's budget be reduced due to a lack of success in a I
POAM, I have been able to provide guidance and direction to the
components that are not satisfactorily progressing in their POAMs.
Since March 2007, when the Management Directive gave these additional
powers to the Chief Information Officer, I have written letters to the
directors of three components pointing out ways they could improve
their FISMA scores (See these letters in Attachment 6).\1\*
Indeed, it is not always the best policy to reduce an IT budget if
a is not being satisfactorily met. My experience has shown that the
components are in fact making efforts to resolve their problems and
that the lack of financial means to mitigate vulnerabilities is their
primary obstacle to success. We would want to provide encouragement and
support to components so that they can obtain additional resources to
ensure success.
Question 6.: If you have not provided funding cut recommendations
to the Secretary, please provide a list of any components that have not
mitigated their POA&M vulnerabilities and a narrative explaining your
decision not to recommend a funding reduction.
Response: A Department-wide is provided in 4.
Please see the answer to question 5.
Question 7.: According to the Department's policy on Contractors
and Outsourced Operations, ``components shall conduct reviews to ensure
that the IT security requirements in the contract are implemented and
enforced.'' When was the last Department-wide review of these
contracts? Were these reviews conducted by component CIOs or by
personnel within your of authority? What vulnerabilities were in the
review and when were they remediated? Please provide the Committee with
each component review of their outsourced operations, as well as the
Departmental review of the components' work.
Response: The Department has a of 717 systems in its inventory.
This includes 501 government systems and 216 contractor systems. The
Department mandates the testing of information systems security
controls for all systems, government contractor alike, using the
National Institute of Standards and Technology (NIST) Special
Publication 800-53 (SP 800-53) methodology. Please refer to Attachment
7,\1\* summary of NIST SP-800-53 assessment for a summary of these
assessments. Contracting officers and their technical representatives
(COTRs) also review contractor performance, including compliance with
information security requirements.
Additionally, the Department ensures that IT security requirements
are included and enforced in all contracts. To that end, the DHS CIO
implemented the IT Acquisition Review (ITAR) process that provides for
the DHS CIIO's review of all IT acquisitions of $2.5M or more. Public
Law 109-295 requires that ``no funds be made available for obligation
for any information technology procurement of $2.5M or more without
approval of the DHS CIO.''
In support of this effort, the CISO developed review criteria and
evaluates every Purchase Request (PR) to ensure that the appropriate
personnel and information security requirements are included prior to
CIO approval and release. The CISO staff has conducted conducted and
adjudicated more than 130 PR reviews since October 1,2006. Please refer
to Attachment 8,\1\* Summary of Information Technology Acquisition
Reviews for a summary of these reviews.
DHS Management Directive 0007.1 requires the DHS CIO to ``review
and approve all Component IT budgets.'' The CISO staff completed
secwity reviews for more than 375 investments (levels 1 through 4) in
April 2007 and provided the security scores to the Capital Planning and
Investment Control (CPIC) in support of this requirement. A summary of
the results is presented in Attachment 9,\1\* Contractor Monitoring
Summary.
Question 8.: According to the Department's policy on Risk
Management, ``components conduct risk assessments whenever significant
changes to the system configuration or to the operational/threat
environment have been made, or every three years, whichever comes
first.'' Please provide these risk assessments, including the dates the
assessments were conducted.
A complete set of risk assessments is provided in Attachment
10.\1\* Please be aware that this information is considered highly
sensitive and should not be released.
Question 9.: According to the Department's policy on IT Security
Review and Assistance, ``the DHS CISO shall conduct IT security review
and assistance visits throughout the Department to determine the extent
to which the Component security programs comply with IT security
policy, standards, and procedures.'' When were these security reviews
completed? How many components passed or failed this review?
The Department conducts security review and assist visits on an
ongoing basis. The Office of Information Security (OIS) IT Security
Compliance Team reviews and assesses Certification and Accreditation
(C&A), including compliance with the Federal Information Systems
Management Act (FISMA).
Documents are reviewed on a pass/fail basis against criteria
described in the FY07 Information Security Performance provided as
Attachment 11,\1\* the Compliance Team provides Components with
feedback on how to raise the quality of systems security, if required.
Plans of Action and Milestones (POAMs) are reviewed monthly and
assessed for compliance with OMB guidance and against criteria
described in the FY07 Plan. All systems are graded on a pass/fail basis
and the Compliance Team tracks Accounting Office (GAO), Office of the
Inspector General (OIG) and financial audit findings to ensure that
appropriate POAMs have been developed for each recommendation. It also
monitors POAMs through completion.
The overall FISMA compliance status for each Component and results
of compliance reviews are compiled in a monthly scorecard and
distributed to Department ISSMs and CIOs.
Training and assistance provide tailored support designed to help
individual Components address compliance issues. In most cases, this
involves working directly with Component System Security Managers and
Officers (ISSMs and ISSOs) in order to address weaknesses. Security
training and assistance visits for FY07 have included:
Training Activities
C&A
Risk Management System (RMS) and FISMA (TAF)
POAM
Security Awareness
Role Based Training--Financial System Workshop
Face-to-face and hands-on assistance to help Components
understand requirements and conduct activities to ensure
improved compliance in the following areas
C&A
TAF
poam
Financial Audit Remediation Activities
Details for all the activities are provided in Attachment 12.\1\*
Question 10.: The Department's policy on ''Wireless Systems''
requires ``annual security assessments shall be conducted on all
approved wireless systems. Wireless security assessments shall
enumerate vulnerabilities, risk statements, risk levels, and corrective
actions.'' Please provide the Committee with those assessments.
Assessments of the wireless or wired infrastructure are to be
completed every three years per Section 3.8.b of DHS Sensitive Systems
Policy 4300A version 5.1. The exception to this rule occurs when there
is a major configuration change to a system, which requires an
immediate re-assessment. Security assessment responsibility is a
Component-level activity performed by the Component CIO organizations
as part of the DHS security management program.
The Department's Security Certification and Accreditation process,
in accordance DHS and NIST security policies and standards, includes
the wireless environment when necessitated by mission need in the
System Security Life Cycle for each given General Support System.
Security assessments for operational wireless systems have been
included, as applicable, in the full Security Risk Assessments provided
to the Committee in response to Question 8 of your Memorandum.
The DHS Enterprise Architecture recognizes the pervasive need and
use of Wireless Systems and has established a Wireless Security Board
in collaboration with the DHS Chief Information Security Officer for
promulgating wireless policy, standards and assessments for the
wireless environment.
Question 11.: When did the Department last audit the MCI MPLS Cloud
or the Sprint MPLS Cloud? What were the results of the audit? Did the
Department require MCI or Sprint to mitigate vulnerabilities?
The Department has reviewed the security and network operational
environments for the two OneNet provided carriers. In 2006, the
Department reviewed the carrier services at Sprint during a visit with
network steward. The review focused on management and operational
issues. However, the review did not cover a technical assessment
(security test and evaluation) because the General Services
Administration (GSA) is responsible for technical assessments and
security validation under both FTS-2001 and Networx. The security
inherent in the Dynamic Multiple Virtual Private Network suite of
protocols fully protects the confindentiality and integrity of all
information transiting the OneNet. The Department has Service Level
Agreements with each carrier, attesting that they have established and
will maintain conformance with the applicable DHS security controls and
availability metrics, which reduces my potential attack on network
availability. GSA serves as the government-wide Contracting Officer for
the FTS-2001 contract and the upcoming Networx contract is for
technical assessments and security validation of the environment. GSA
has agreed, during the Networx requirements gathering process, to
assume the responsibility for ensuring that the carriers meet or exceed
the applicable security requirements of the National Institute of
Standards and Technology once the final contract is awarded.
Question 12.: The Committee requested and received a list of FY
2005 and FY 2006 incidents reported to the Department's Security
Operations Center (DHS SOC).
a. Please define a ``classified data spill.'' How is this
incident different from an incident where a Department employee
sends a classified through a non-classified system?
A classified data spill, also referred to as a ``classified
information or a ``collateral information spill,'' occurs whenever
classified information is brought onto a network not approved for the
level of classification commensurate with the sensitivity of the
information. This can happen through a variety of vectors, including
email, Compact Discs, removable media or manual data entry. The
Department goes to great lengths to prevent direct electronic transfer
between networks, however, when a classified spill occurs, it is
usually the result of personnel not following proper classified data
handling procedures. A Department employee sending classified
information via through a non-classified system is a type of classified
data spill.
Under current policy, when a Component or Component Security
Operations Center (SOC) becomes aware of a suspected or spillage, it is
reported to the DHS SOC either in person or via telephone without
delay. Other methods of reporting (Fax, email, DHS SOC Online) me not
allowed for this type of incident because they provide additional
electronic hails that must also be sanitized, thereby increasing the
risk that the information will become accessible to unauthorized
persons. Once notified, the DHS SOC coordinates the appropriate
required actions.
b. Please explain what disciplinary actions were taken against
the contractors in DHS Incident Incident #2006-08-031
Incident 2006-08-031 was entered as a minor incident whereby
unauthorized users had attached personal computers to the government
network. No access was obtained, and the incident was closed with the
following additional action: ``Laptops were removed, personnel were
escorted off of the premises and training was issued to those who
allowed them access to the area.
The full incident report is provided in Attachment 13.\1\*
c. Please provide a list of the FY 2007 incidents reported to
the DHS
A list of incidents from October 1,2006 to June 4, 2007 is provided
in Attachment 14.\1\*
Questions from the Committee on Homeland Security
Responses from Scott Charbo
Question 1.: What responsibility does the Chief Information Officer
have over networks of the Department of Homeland Security? Please
explain your relationship to the Chief Information Security Officer, as
well as the Chief Information Officers and Chief Information Security
Officers of the Department's component agencies.
Response: The Department's Chief Information Officer exercises all
statutory authorities and Federal mandates assigned to Federal Chief
Information Officers, particularly those outlined in the Clinger-Cohen
Act of 1996 and the Federal Information Security Management Act of 2002
(FISMA). In accordance with FISMA, the Chief Information Security
Officer (CISO) is a report to the Chief Information Officer.
Department of Homeland Security Management Directive 007.1,
Information Technology Integration and Management, included as
Attachment 2, further strengthens the role of the DHS Chief Information
Officer in three key areas:
Review and approval authority over all information
technology (IT) purchase requests greater than $2.5 million
Approval over all Component Chief Information Officer
Input into Component-level Chief Information Officer
performance plans and evaluations.
Component Security Programs are under the direction of Component-
level Information Systems Security Managers (ISSMs), who report
directly to each of their respective Component Chief Information
Officers. ISSMs are required to follow guidance the Department CISO.
Additionally, ISSMs collectively comprise the Information Systems
Security Board (ISSB), which is chaired by the Department CISO.
Question 2.: Please provide the Department's information security
policy and incident response plan.
Response: DHS Sensitive Systems Policy Directive 4300A, Version 5.1
and Attachment F--Incident Response and Reporting are included as
Attachments 3 and 4. These documents represent the Department's current
information technology security policy and incident response plan.
Question 3.: Please provide a report on how many and what types of
incidents have been reported to US-CERT by agencies within the
department of homeland Security. Please categorize each incident using
the ``Federal Agency Incident and Event Categories'' developed by the
US-CERT. Please provide details of the attacks during 2004--2007 that
were the most critical (classified ``CAT 1'' on the US-CERT reporting
guidelines). Please include both those that were and were not reported
to US-CERT, and indicate which were not reported to US-CERT within the
US-CERT reporting timeframe.
Individual DHS Components do not report incidents directly to the
US-CERT. The Department has its own 24x7 Security Operations Center
(DHS SOC) that oversees all IT security operations for the Department.
The DHS SOC has direct operational oversight over of all aspects of the
Department's common wide area network (OneNet), and also oversees the
vulnerability management and incident reporting processes. Individual
Components have security operations capabilities for their own local
environments; however, all of these are operationally subordinate to
the DHS SOC.
The DHS SOC, and only the DHS SOC, reports incidents to the US-CERT
in accordance with US-CERT categorizations and guidelines and in the
same manner as the other civilian Federal agencies. Attachment 5
contains a summary report for all incidents reported by the DHS SOC to
the US-CERT from October 2004 to the present. The DHS SOC Security
Operations Concept of Operations (CONOPS) is provided as Attachment 6.
Question 4.: Has the Department taken an inventory of each access
point to its network (i.e. every connected device, wireless device,
remote device, etc.), both inside and outside of the firewall, in order
to identify potential points of vulnerability? Does a complete network
topology diagram exist? If so, please provide that diagram.
Response: The network topology diagrams are provided as Attachments
7a and 7b.
Question 5.: Has the Department ever conducted both internal and
external penetration tests on its systems? Have individual Components
of the Department ever performed internal and external penetration
tests on their systems? Please provide copies of all penetration
testing reports and narratives describing the vulnerabilities that were
revealed and how those vulnerabilities were mitigated.
Response: Current DHS Policy requires all Components to conduct
annual vulnerability assessments testing to identify security
vulnerabilities on IT systems containing sensitive information.
Assessments are also required whenever significant system changes are
made. The DHS Computer Incident Response Center (CSIRC), an element of
the DHS Security Operations Center (SOC), centrally manages the
program, which is executed at the Component level. The CSIRC's role is
fully outlined in the SOC CONOPS document (Attachment 5) and is
supported within DHS Sensitive Systems Policy Directive 4300A \1\*
(Attachment 2).
---------------------------------------------------------------------------
\1\ Sections 5.4.2 Network Security Monitoring; 5.4.8 Testing and
Vulnerability Management
---------------------------------------------------------------------------
DHS Components have implemented internal and external penetration
testing programs and currently test all FIPS 199 ``high'' category
systems. General support systems or major applications created or built
to meet unique mission needs, receive a full internal penetration test
prior to obtaining ``Authority to Operate'' (ATO). In addition, the DHS
Office of the Inspector General (OIG) conducts annual FISMA audits,
which include internal penetration testing. Some systems receive
periodic manual and automated internal penetration testing. Security
Test and Evaluation (ST&E) results, Security Assessment Reports also
reveal vulnerabilities. Mitigation actions are uploaded and tracked
within the DHS Trusted Agent FISMA (TAF) tool.
Vulnerabilities that can not be mitigated quickly are recorded and
tracked within the TAF Plan of Action and Milestone (POA&M) folder.
Each item is assigned a scheduled completion date, lists the
vulnerability, and articulates how it will be corrected or mitigated.
Attachment 8 provides a representative sample of the Department's
penetration testing activities. The aggregate of additional information
would reach a National Security classification level. Should you
require additional information, please advise and the Department will
arrange for courier delivery of information at the appropriate
classification.
Question 6.: When was the last time the Department used ingress and
egress on client personal computers? When was the last time the
Department replicated client-side attacks on those computers? Has the
Department ever conducted a network-wide rogue tunnel audit of all
client personal computers? Have you ever conducted audits on the
aforementioned compromised personal computers from question 3?
Response: DHS does not currently apply ingress and egress filtering
on individual client personal computers, however all DHS content to and
from the Internet is controlled through dedicated gateways and ingress
and egress filtering is enforced at those control points.
The DHS approach is similar to that employed by the Department of
Defense (DoD) on its Non-classified Internet Protocol Router Network
(NIPRNet) where most of the ingress/egress filtering is done at
Internet/NIPRNet gateways. The DoD is conducting a pilot program
whereby enterprise-wide client side ingress and egress filtering is
currently being tested. DHS will review the results from the pilot and
determine the best way forward.
DHS has not replicated client-side attacks or rogue tunnel audits
on client PCs, however it routinely conducts audits on compromised
personal computers. A representative sample of incidents that have been
audited and describes the actions taken as a result of compromised
systems is provided in Attachment 9.
Question 7.: Has the Department implemented a secure coding
initiative? What portion of software deployed by the Department and its
components have been tested using source code analysis tools? What
portion of web applications have been tested using web application
security tools? How many programmers working on Department
applications, whether Department or contractor employees, have been
trained in secure coding techniques and what skills testing was
undertaken to ensure they had mastered secure coding techniques?
The Department of Homeland Security relies heavily on Commercial
Off-the-shelf (COTS) systems and applications. For this reason,
Department policy requires that acquisition priority be given to
products certified through any one of the three following certification
programs:
The National Security Agency/National Institute of
Standards and Technology, National Information Assurance
Partnership Evaluation and Validation Program
International Common Criteria for Information Security
Technology Evaluation Mutual Recognition Agreement
The National Institute of Standards and Technology
(NIST) Federal Information Processing Standards Validation
Program
While there is currently no Department-wide secure coding
initiative, this practice is addressed in a number of ways.
The DHS Common Operating Environment primarily uses Microsoft
software. In FY06/07 the Department supported the Service Oriented
Architecture through the use of the Microsoft.NET environment. This
coding environment provides a means to produce code to protect against
buffer overflows and other threat vectors that could be used to gain
privileged access to computing environments.
The Federal Law Enforcement Training Center (FLETC) has limited
legacy software applications and associated coding. Although the center
has not used secure coding in the past, its latest Student
Administration and Scheduling System (SASS), currently being developed
under contract will be tested using source code analysis tools in the
3rd Quarter of FY07.
The Transportation Security Administration (TSA) is in phase one of
implementing source code analysis tools, which it intends to employ on
all applications, including web-enabled systems. Implementation will
include appropriate training for TSA employees and contract language
requiring training for contractor personnel.
Other Components, such as the National Protection and Programs
Directorate (NPPD) manually check secure coding against the Defense
Information Systems Agency (DISA) Security Technical Implementation
Guides (STIG) and with the .NET questionnaire. These checklists enable
NPPD to ensure that coding is ``hardened'' in accordance with DHS IT
Security Policy.\2\
---------------------------------------------------------------------------
\2\ Hardening in this context means the use of security
configuration checklists to greatly improve overall levels of security
in organizational systems; however, no checklist can permit a system or
a product to become 100 % secure.
---------------------------------------------------------------------------
The United States Citizenship and Immigration Services (USCIS)
tests selected enterprise applications as part of an independent
validation and verification (IV&v) process. New application code is run
through a security test and evaluation (ST&E) process as part of the
normal IT lifecycle management methodology.
Components who do not perform their own source code analysis are
required to utilize applications and operating systems found in the DHS
Technical Reference Model (TRM) database. The Customs and Border
Protection (CBP) Technical Review Committee (TRC), reviews and approves
software and hardware for insertion into the TRM. The TRC considers
other test results, such as those conducted as part of the National
Information Assurance Partnership (NIAP) testing program.
Question 8.: Has the Department mandated two-factor authentication
for all privileged personnel and system administrators? If not, why
not?
The Department currently employs a number of two-factor
authentication technologies, including the Common Access Card (CAC) and
RSA (Token-based). These technologies were implemented at the Component
level and were selected to meet specific mission needs. There is
currently no Department-wide solution in place, however two-factor
authentication will be incorporated as part of the Department's
implementation of Homeland Security Presidential Directive #12 (HSPD-
12). HSPD-12 is provided in Attachment 10.
The Department's intent is to move to HSPD-12 compliant PIV cards
as rapidly as possible. Cards will be required for all employees, as
well as any other individual requiring access to Department's IT
resources.
Question 9.: What legal requirements are the Department's hosting
companies, data warehouses, software developers, or application service
providers contractually obligated to regarding security? Please provide
a narrative of the duties, layers of security, notification of security
breaches, and timeliness of responses that the Department requires of
these contractors. Is the Department able to audit/penetration test
these entities to ensure that that standard of security has been met?
Has the Department ever done so?
Response: The Department currently operates and maintains a total
of 723 production systems:
506 Agency Systems
217 Contractor Systems
--------------------------------------------
723 Total Systems
In addition to complying with all Federal Acquisition Regulations,
the Department has published specific Homeland Security Acquisition
Regulations (HSAR), in accordance with rule making authority granted
when the Department was created. Contractor systems are tracked and
maintained within the DHS tracking system and subject to the same rules
and requirements as Government systems. The relevant sections and
specific language associated with information security activities in
the HSAR are included in Attachment 11.
For example, the Inspector General (IG) routinely reviews a sub-set
of contractor systems as part of the annual FISMA review. The review
includes test results of system controls, conducted as part of the
system's Certification and Accreditation or required annual test. In
addition, the IG has conducted several audits where the information
systems were owned by contractors (including other Federal agencies)
and where system tests were performed to evaluate the effectiveness of
system controls. In developing its FY08 annual performance plan, the IG
has identified additional audits that will test and evaluate controls
on systems owned and/or managed on behalf of the Department by outside
contractors other Federal agencies.
Question 10.: Please provide the annual budgets for the Chief
Information Security Officer beginning in fiscal year 2003.
2003 Department created (no budget existed for this year)
2004 $12.5M
2005 $17.5M
2006 $15M
2007 $15M
Question 11.: How much money, in total, has the Department spent on
meeting the requirements of the Federal Information Security Management
Act (FISMA)? What percentage of the overall budget does that figure
represent? Specifically, how did those reports lead to improved
defenses against attacks? What specific changes were made? Are you
confident those changes improved your defenses?
Total spending in DHS for IT security is as follows (all dollar
figures are in millions):
IT Security as % of
Year IT Security IT Total all IT
2006 $312.3 $3811.5 8.2%
2007 $331.7 $4879.6 6.8
DHS has implemented the Federal Information Security Management Act
(FISMA) through a comprehensive set of Department-specific policies
that incorporate all federal guidance, including National Institute of
Standards and Technology (NIST) standards and guidance, as well as
Office of Management and Budget (OMB) memoranda. NIST Special
Publication (SP) 800-53 is fully incorporated into Department policies
and it provides the core set of controls implemented at the system
level. Specifically, in 2006, the Department completed a year-long
system accreditation project and the number of systems that are fully
accredited rose 24% to 95%. As a result of this effort, systems now
have documented plans in place for implementing the NIST recommended IT
security controls, and the effectiveness of these controls has been
verified for each system.
Question 12.: When the Department purchases software, do
procurement documents require that the purchased software operates
effectively on the secure configurations? If not, what does the
Department do when a purchased package requires security configurations
to be weakened in order to run the purchased application?
The Homeland Security Acquisition Regulations require vendors to
comply with all Department IT security policies (specifically 4300A)
including the Department's operating systems configuration guidance.
(Note: The Department has published hardening guidance for all
operating systems that are currently in use or that are planned for in
future implementations.) Waivers to this policy expressly require risk
acceptance and mitigation measures and a plan for bringing the system
into compliance.
Question 13. What are your top three initiatives for securing the
Department for How do you measure those goals?
The Department is currently pursing a number of initiatives to
improve our overall Information Security posture. Among these, the top
three are:
100% FISMA compliance
Consolidated networks and datacenters
HSPD-12 implementation
Full compliance with FISMA will allow the Department to fulfill the
goals of the act, including implementing cost-effective, risk-based
information security programs; providing improved, cost-effective
application of IT security controls; allowing for more consistent,
repeatable security control assessments; and providing more complete,
reliable, and real-time information to the DHS leadership. This
initiative is currently underway and being tracked through monthly
FISMA Scorecards for each Component. The overall success will be
realized by an increased Department-wide OMB FISMA score.
Consolidation of DHS networks and datacenters is also a top
priority. The Department currently operates a number of scattered
networks and datacenters of varying capabilities, making it difficult
to maintain consistent standards, increasing costs and forcing
duplication of effort. Consolidation will allow for improved
standardization, giving the Department a greater ability to apply more
effective and consistent security policies, reducing operations and
maintenance costs, and allowing DHS to better focus efforts and
resources. Overall success will be realized through improved security,
consistent capabilities, and decreased costs.
HSPD-12 implementation is another priority. This initiative will
give the Department an increased identity verification capability for
its employees and contractors, allowing for tighter physical and
logical access controls. Furthermore, HSPD-12 will give DHS the ability
to implement two-factor authentication for all Government and
Contractor personnel, as well as providing a secure, reliable
interoperability capability with all other Federal agencies.
[See committee file for all attachments.]
�