Officials from the U.S. Department of Homeland Security will hold a hearing on Capitol Hill on June 20 to discuss the findings of an investigation into the agency's own problems in battling electronic attacks and IT systems intrusions.
In a hearing labeled "Hacking the Homeland: Investigating Cyber-security Vulnerabilities at the Department of Homeland Security," officials including DHS chief information officer Scott Charbo and Gregory Wilshusen, director of information security issues at the Government Accountability Office (GAO) are scheduled to detail their findings in response to requests from Congress to test the agency's IT security defenses.
In a letter sent to Charbo on April 30, members of Congress led by Rep. Bennie G. Thompson (D-Miss.), chairman of the House Committee on Homeland Security, asked DHS to conduct a review of its information system security in the wake of news that the departments of commerce and state were successfully hacked during 2006.
Details of those systems intrusions were first revealed at a hearing coordinated by the House Subcommittee on Emerging Threats, Cyber-security, Science, and Technology on April 19.
"These incidents jeopardize the integrity of our government's information. We are concerned that similar incidents may be occurring within the networks of the Department of Homeland Security," read the letter, which was also signed by ranking members of the House Subcommittee on Management, Investigations, and Oversight.
Among the issues expected to be addressed by Charbo and other witnesses -- including Keith A. Rhodes, director for the Center for Technology and Engineering in the GAO -- at next week's hearing will be a review of cybersecurity incidents reported to the DHS Security Operations Center (SOC), such as instances of rootkits, classified leaks, compromised Web sites, bot infections, unauthorized use of networks by contractors, and virus attacks.
According to a Congressional press release distributed ahead of the hearing, the GAO witnesses will also describe an investigation they conducted on a specific DHS network that is "riddled with significant information security control weaknesses that place sensitive and personally identifiable information at increased risk of unauthorized disclosure."
The subcommittee also plans to air some of its concerns with the DHS OneNet project, which is aimed at consolidating all of the agency's information networks under one roof, and to question a perceived lack of IT security funding by Charbo.
The Congressional committee has said it will call for further investigation of security issues existing within DHS at the hearing.
Among the specific questions posed to DHS leaders by Thompson and other members of the House Committee on Homeland Security are what responsibility Charbo has over management of the agency's networks, and his relationship with the department's chief information security officers (CISOs) and chief information officers.
Charbo was also asked to provide details of the agency's information security policies and incident response plans, along with data on how many and what types of security events it has reported to the U.S. Computer Emergency Readiness Team (US-CERT), which was established in 2003 and operates as a partnership between DHS and the public and private sectors.
Among the incidents that Congress has specifically asked for more information about are the most severe threats encountered by the agency between 2004 and 2007.
The committee has also asked DHS officials to reveal whether or not they have taken an inventory of each access point on the agency's network, and how it has approached the practice of penetration testing for its internal and external systems.
In addition to questioning the department's security testing policies, the committee has asked DHS to turn over details of any secure software coding initiatives it has launched in the name of eliminating vulnerabilities in its applications, as well as statistics on how much of its coding is being performed by outside contractors.
The committee has also asked for information on whether or not DHS is requiring two-factor IT systems authentication for all privileged personnel and systems administrators.
A good deal of discussion at the hearing is likely to be given over to the process that DHS has employed to meet the terms of the Federal Information Security Management Act (FISMA), which was enacted by Congress in 2002 and is aimed at improving IT security in the federal space via a system of mandated annual audits.
The hearing may be seen as a bellwether moment in the continued development of government IT security policies and enforcement, as the DHS has been charged with helping to oversee the performance of other agencies, including via its work with US-CERT.
If the DHS is found to have failed to protect its own systems adequately, some observers believe that the agency will be put under significant pressure to completely retrench its IT operations in the name of improving security, a process that may then be pushed out to other federal agencies.
Some experts believe that adopting such an approach will soon become a fact of life for all government agencies, as many legacy computer systems and policies are not suited to respond to today's fierce security climate.
Dave Nelson, a retired deputy CIO for IT security at NASA, who also worked in the White House Office of Scientific Research, said that the government, much like enterprise businesses, has been put in the uncomfortable position of coping with security threats in a cat-and-mouse game, based on long-standing flaws in the technologies and processes it employs.
"Until the Internet and the computers that are on it are fundamentally reengineered to be inherently secure, we will always be in coping mode," Nelson said. "The government and IT industry may not know how to make these types of technologies yet, but if they don't get cracking, things will only get worse; as the economic and political payoff of attacks continues to rise, that's our only choice."
While Nelson said he has not been made privy to information on attacks on government IT infrastructure for several years, he estimates that there are still many breaches, and that the sophistication of the attacks is ramping up quickly.
One of the specific areas that Nelson said needs to be investigated more closely is to what extent foreign governments or politically motivated groups such as terrorists may be involved in cyberthreats.
"We don't have any public information that would conclusively prove that some of these attacks are being launched by other nations, but there seem to be significant resources behind them in terms of people and financing," Nelson said. "That's the scariest part, and extrapolating that idea into the future, I don't see a lot of encouraging signs for improvement. If you look at the zero day attacks, they only seem to be getting worse, and I don't see evidence that the systems vulnerabilities they target are going away anytime soon."