Members of a US House subcommittee blasted Department of Homeland Security CIO Scott Charbo for what they called a lack of leadership on information security issues and questioned his willingness to make needed fixes — and even his ability to head the agency's IT organization.
I think the first thing that Mr Charbo needs to do is explain to us why he should keep his job. . . I am not convinced that he's serious about fixing the vulnerabilities in [the DHS's] systems
The stinging criticisms levelled at Charbo illustrate the complexity of the challenge he has faced since taking over as CIO of the DHS in July 2005: developing a unified IT infrastructure for the 22 separate agencies that were cobbled together to create the DHS.
Charbo rebutted the charges at a hearing held by the subcommittee, which is investigating cybersecurity vulnerabilities at the DHS. He said that much of the criticism of the agency's security capabilities was based on outdated information that ignored some of the improvements the DHS has made to its IT defences.
"I'm confident that the DHS information security program is moving in the right direction," Charbo said in his prepared testimony. "Although we still have a ways to go, we've made measurable improvements in the management of information security."
But that didn't dissuade legislators such as Bennie Thompson from launching verbal salvos at Charbo. Thompson, who chairs the House Committee on Homeland Security, said he had reviewed Charbo's responses to a series of security-related questions posed by the panel's subcommittee on emerging threats, cybersecurity, and science and technology in advance of the hearing.
Based on the responses, "I think the first thing that Mr Charbo needs to do is explain to us why he should keep his job," Thompson said. "I am not convinced that he's serious about fixing the vulnerabilities in [the DHS's] systems."
Thompson's criticism of Charbo was echoed by James Langevin, the subcommittee's chairman. In his opening remarks at the hearing, Langevin expressed his "shock and disappointment" at learning that the DHS had reported a total of 844 security incidents during the federal government's 2005 and 2006 fiscal years.
Langevin also said he was dismayed by what he claimed was Charbo's unwillingness to invest the needed resources to correct such problems. "The finances show that Mr Charbo and the department's leadership continue to underinvest in IT security," Langevin said.
Adding more fuel to the fire was a report released by the Government Accountability Office, which said it had found pervasive and systemic security problems at the DHS during a year long review.
Among the issues highlighted by the GAO were a "material weakness" in the security controls on financial systems, the lack of an effective agencywide information security program and a continued failure to conduct comprehensive assessments of security risks.
Keith Rhodes, the GAO's chief technologist, said at the hearing that eventually his staff simply stopped looking for more vulnerabilities in the systems at the DHS and its component units because the problems were so widespread.
But Christopher Pierson, a partner at US law firm Lewis and Roca and board member in the local chapter of the FBI's InfraGard security information-sharing program, said that blaming Charbo for all of the problems at the DHS is unwarranted.
"DHS is faced with a unique problem," Pierson said. "It has a patchwork of 22 agencies that have been stitched together, do not share similar systems or security processes, and function very differently."
And until DHS Secretary Michael Chertoff issued a directive in March giving the CIO greater authority over IT on an agency-wide basis, Charbo really didn't have the clout needed to make meaningful changes, Pierson said.
Charbo said during this hearing that the DHS has completed an inventory of its systems and has made significant progress in certifying that they meet Federal Information Security Management Act (FISMA) standards.
The DHS is also in the midst of three IT consolidation projects that will have a significant impact on security, Charbo said. They include the creation of a single WAN called OneNet, featuring IPsec-based encryption and authentication; the development of an enterprise architecture that consolidates 13 different e-mail and directory systems into one; and the melding of multiple data centres into a shared facility.
In addition, Charbo defended his agency's IT security spending, saying it was on a par with industry standards.
Alan Paller, director of research at the US SANS Institute, said Charbo's record on information security is similar to those of a majority of CIOs at large federal agencies. But, he added, at least some of the FISMA compliance efforts at the DHS appear to have been paperwork exercises that have done little to actually improve security.