Lawmakers: Can DHS protect its networks?

The U.S. Department of Homeland Security's (DHS) CIO was on the hot seat Wednesday on Capitol Hill after an independent audit found that a database that screens U.S. visitors lacked security controls.

The chairman of the U.S. House of Representatives Homeland Security Committee called on DHS CIO Scott Charbo to explain why he should keep his job after persistent cybersecurity problems at the agency.

"What happened to leadership?" Rep. Bennie Thompson, the committee chairman and a Mississippi Democrat, said during a hearing of the Subcommittee on Emerging Threats, Cybersecurity, and Science, and Technology. "What happened to accountability?"

Lawmakers also said they were concerned that the agency reported 844 cybersecurity incidents in 2005 and 2006.

"Although we still have a ways to go, we've made measurable improvements in the management of information security at the department," Charbo said. "Certainly, we need to increase our vigilance to ensure that such incidents do not happen again."

Many of the 844 incidents were minor, and the agency has taken major steps to fix past cybersecurity issues, Charbo said. Many of the reported cybersecurity incidents related to problems like lost laptops that did not result in data breaches, he added.

The subcommittee did not have a breakdown of the incidents Wednesday.

Asked about reports of bots installed on DHS computers that could send information out to hackers, Charbo said he had "no evidence" that the bots caused a breach.

Thompson's comments came as the U.S. Government Accountability Office (GAO) issued a report saying DHS continues to have "significant weaknesses in computer security controls that threaten the confidentiality, integrity, and availability of key ... systems."

GAO investigators found no security controls on the US-VISIT database, the system that screens people who want to visit the United States for potential terrorists and criminals. Lawmakers are concerned whether terrorists could get into the database "and change or alter their names to allow them access to this country, and we wouldn't even know that they're doing it," said Rep. Bob Etheridge, a North Carolina Democrat.

A contractor provides IT security for US-VISIT, but DHS has its own security controls in place to protect the database, Charbo said. He didn't disclose specific security measures.

The GAO doesn't have evidence that the US-VISIT database was breached, said Keith Rhodes, chief technologist and director of the GAO's Center for Technology and Engineering. "I did not see controls in place that would prevent it," Rhodes said. "I did not see defensive perimeters, and I did not see detection systems in place whether it had or had not [been breached]."

GAO started a cybersecurity review of DHS a year ago but curtailed its efforts because it kept finding "more and more" problems, Rhodes said. "If we had continued to this day, I would argue we'd still be finding things," he said. "The problems were pervasive. The problems were systemic."