DHS on Its Own Cybersecurity: "Do As I Say, Not As I Do"

The Emerging Threats, Cybersecurity, and Science and Technology Subcommittee of the Homeland Security Committee in the U.S. House of Representatives held a hearing yesterday on the topic of “Hacking the Homeland: Investigating Cybersecurity Vulnerabilities at the Department of Homeland Security”. Chairman Rep. James Langevin (Dem-RI) commented, "It was a shock and disappointment to learn that the Department of Homeland Security - the agency charged with being the lead in our national cybersecurity - has suffered so many significant security incidents on its networks."

The full committee chairman, Rep. Bennie Thompson (Dem-Miss), asked:

How can the Department of Homeland Security be a real advocate for sound cybersecurity practices without following some of its own advice?  How can we expect improvements in private infrastructure cyberdefense when DHS bureaucrats aren’t fixing their own configurations? How can we ask others to invest in upgraded security technologies when the Chief Information Officer grows the Department’s IT security budget at a snail’s pace?  How can we ask the private sector to better train employees and implement more consistent access controls when DHS allows employees to send classified emails over unclassified networks and contractors to attach unapproved laptops to the network? 

Witnesses which included the CIO from DHS and representatives of the Government Accountability Office were cautious to acknowledge that progress is being made despite shortcomings in DHS information security program. Rep. Thompson remarked, "The American people are tired of hearing that getting a 'D' is a security improvement," referring to the recent Annual Report Card on Computer Security for Federal Departments and Agencies.

More information regarding the hearing, including witness testimony and a recorded webcast, is available at http://homeland.house.gov/hearings/index.asp?ID=65