Is Charbo doing his job at DHS?

Fed up with mounting cybersecurity breaches at the Homeland Security Department, lawmakers brought their frustrations to bear on DHS Chief Information Officer Scott Charbo in a hearing June 20, accusing him of misspending his budget and not doing his job.

DHS reported that 844 cybersecurity-related incidents occurred in fiscal 2005 and 2006. Incidents involved workstations infected with Trojan viruses, unauthorized access to secure systems and misconfigured firewalls.

The Government Accountability Office also reported that investigators were unable to fully assess whether DHS databases ? such as those used in the U.S. Visitor and Immigrant Status Indicator Technology program ? had been breached because no evaluation tools were in place.

Members of the House Homeland Security Committee's Emerging Threats, Cybersecurity and Science and Technology Subcommittee accused Charbo of not taking his job seriously and the agency of failing to set an example of good information technology security.

"I am not convinced that [Charbo] is serious about fixing the vulnerabilities in our systems," said Rep. Bennie Thompson (D-Miss.).

Subcommittee Chairman Jim Langevin (D-R.I.) called the security problems very disturbing. He criticized DHS' certification and accreditation process and the Plan of Action and Milestones (PO-AMs) the department used to comply with the Federal Information Security Management Act. DHS received a D grade on the last FISMA report card.

Langevin also said nearly 69 percent of 3,566 open vulnerabilities reported on DHS' PO-AMs did not have resources allocated for them. Another 438 were tagged with $1 remediation costs.

Committee members accused Charbo of not spending enough money on cybersecurity. "Cybersecurity spending has remained flat or has fallen at DHS as the budget for IT has risen over 20 percent over the years," said Rep. Bob Etheridge (D-N.C.).

Charbo defended himself, saying the agency was already in the process of completing many of GAO's recommendations. However, when asked if GAO's investigation was the reason for DHS taking action on cybersecurity weaknesses, Charbo was less forthcoming.

"I'm not prepared to say that I already knew about those vulnerabilities and weaknesses," Charbo said.

Rep. Michael McCaul (R-Texas) also announced his intention to introduce new legislation for a national cybersecurity threat assessment to determine the health of the country's IT infrastructure.

Wade-Hahn Chan writes for Federal Computer Week, an 1105 Government Information Group publication.