Wyatt Kash | DHS' security gaps
If there is an upside to the grilling Homeland Security Department Chief Information Officer Scott Charbo endured from lawmakers at a House hearing a couple weeks ago, hopefully it will be a growing realization on Capitol Hill that it's going to take more than a raft of policies to keep up with the mounting risk of cyberattacks on government networks.
Rep. Jim Langevin (D-R.I.), chairman of the Homeland Security Committee's Emerging Threats, Cybersecurity, and Science and Technology Subcommittee, took Charbo to task for the 'systemic and pervasive' problems found in DHS' approach to information technology security, based on a recent Government Accountability Office investigation (story, Page 12).
It is hard to not share the congressman's 'shock and disappointment' to learn that DHS, the agency charged with defending the country against cyberattacks, reported 844 cybersecurity failures in its systems in fiscal 2005 and 2006. Charbo's explanations ' that the incidents didn't mean systems were compromised, ongoing consolidation and upgrade projects are addressing many of the vulnerabilities, and IT security spending remains on par with industry standards ' offered little reassurance.
What should have disturbed the committee more is the reality that many of these incidents occurred on systems owned and managed by outside contractors; that those contractors, not DHS, are responsible for demonstrating compliance with the Federal Information Security Management Act; and the ability to audit contractors on real, versus documented, security exceeds the authority of most CIOs. The sad fact remains that a disproportionate effort goes into complying with FISMA provisions while not enough resources go toward building the network security mechanisms needed to keep up with the rapidly evolving nature of cyberattacks.
Few would envy the job Charbo has in trying to secure what remains a massive array of networks. But one fact made clear at the hearing ' that DHS safeguards data moving into and out of its networks but doesn't, for instance, encrypt data moving within its local-area networks ' is just one indication of the need for more-robust security measures at DHS and other agencies. The subcommittee is right to recognize that securing government networks is partly an issue of leadership, but it could also help by promoting investment in real security measures at the expense of producing and auditing FISMA compliance reports.Wyatt Kash, Editor in chief