This We'll Defend (poorly)
US Government Cyber Security Leadership Requires IT Professionals, Not Biologists
By Michael Tanji | June 22, 2007
The mission of the Department of Homeland Security is self-evident, though based on recent testimony by agency leadership one is left with the feeling that at least on one key front, there is not a lot of enthusiasm for securing the nation.
DHS Chief Information Officer Scott Charbo appeared before the House Homeland Security Committee Wednesday and confirmed what several past audits have exposed over the last few years: DHS is not taking cyber security seriously.
- DHS recently received yet another grade of “F” in information security by the Government Accountability Office. GAO investigators found that the agency still has not fully implemented a comprehensive, department-wide information security program, completed numerous risk-assessments, lacked security plans and had little or no way to test the validity of current security systems.
- At Wednesday’s hearing, the homeland security sub-committee was particularly chaffed to learn of over 800 security-related "incidents" on its networks between 2005 and 2006. Incidents included unauthorized access to networks, unauthorized software installations, malicious code infections and leaks of classified data.
- Computer systems of the Immigration Service also received attention at the hearing, with Government Accountability Office investigators testifying that mis-configured and out-dated systems left services like the US VISIT program open to technical compromise. In fact US VISIT computers were shut down by the Zotob virus in 2005.
- The Transportation Security Administration was recently shown to have given short shrift to rules about the handling of so-called “sensitive security information” that is unclassified data that nevertheless has some sort of security value and thus merits special protections.
GAO audits of most government agencies involved in the defense and security of the nation indicate that problems associated with cyber security are pervasive and systemic. Incompatible systems and the use of contractors to install, maintain and secure systems has been offered as a reason for these failings; but private concerns with differing information infrastructures merge all the time and contractors successfully maintain the security of countless other institutions and with much greater success.
What is really lacking here is a sense of priority and leadership.
Consider that Congress (indeed the nation) is debating the merits of a new immigration bill. If passed, the bill would place an extraordinary demand on the computer systems of security agencies like DHS. Let us echo the cry of the immigration bill's opponents and ask that we secure the network first, before we start to talk about taking on additional technical and security challenges. As things stand now there is no way to know if the systems that would be used to help verify the relative security of anyone attempting to gain access to the US have not already been compromised, making infiltration by a wide variety of threat actors more than a hypothetical situation.
One cannot point the finger at a generic scapegoat like “contractors” or any other working-level staff because they take their cues about what is important from agency leadership. No doubt DHS CIO Charbo is a dedicated public servant, but he is by trade and training a plant biologist, not a technologist or an expert in security. Even if he built up a certain level of information security expertise during his past tenure as CIO of the Department of Agriculture, it is clear that he has not given cyber security the priority it deserves.
Cyber security is an issue that needs to be taken as seriously as all other aspects of homeland security. The heavy lifting at the pointy-end of the spear gets the most attention, but all that work is for naught if critical decisions are being made using insecure networks and data of questionable integrity. This is a mission that merits seasoned, qualified and motivated leadership that can communicate its intent to succeed and that will hold people accountable for failure. Absent that, even the most comprehensive homeland security legislation is a waste of time.