DHS solves CIO clearance problem

Homeland Security Department technology officials came under intense scrutiny in the past eight months for not knowing enough about security problems in their networks. Part of the reason, then-Chief Information Officer Scott Charbo said, was he and others did not receive classified briefings about the cyberattacks or cyberthreats against DHS or governmentwide. Charbo, who now is the deputy undersecretary at the National Protection and Programs Directorate, told lawmakers today that DHS has fixed that problem by getting the CIO, deputy CIO, systems administrator and chief information security officer cleared to listen to classified briefings about cyberthreats or -attacks. “It is true at the time of that hearing that I was not aware of the threat vectors, but we are now aware of them and have briefings,” Charbo said during a hearing on the Bush administration’s cyberdirective held by the House Homeland Security Committee. “This is an issue that needs to be addressed for a lot of CIOs. They need their classification levels raised.” Charbo added that DHS addressed training, clearance and network issues to raise the visibility of security for key people across the department. Rep. Mike McCaul (R-Texas), ranking member of the committee’s Emerging Threats, Cybersecurity and Science and Technology Subcommittee, said all CIOs must have access to briefings at the classified level to share information. “You suffered from that gap,” he said. The fact that many CIOs don’t have clearance to view classified material is a major concern about the Bush administration’s new cyberdirective, experts said. Because most of the directive is classified, former Office of Management and Budget officials said CIOs need to be in the loop to implement cybersecurity requirements or understand where potential threats are coming from. At the hearing, lawmakers wanted more answers from DHS and OMB about the directive, including who would be accountable for ensuring the initiative is implemented correctly and who will control the funding — which is about $30 billion over five years. Committee members also expressed disappointment over the administration’s success in protecting federal networks. Committee members recently received a classified briefing about the directive, and used the hearing to focus on the public parts such as the Trusted Internet Connections effort to reduce to about 50 the number of federal Web gateways. “The administration drafted a high-level National Strategy to Secure Cyberspace in 2002 that presented problems and possible solutions to high-level cybersecurity issues, but never mandated any changes required to improve security,” said Rep. Bennie Thompson (D-Miss.) chairman of the committee. He added that this and other problems in the past five years make it “hard to believe that this administration now believes it has the answers to secure our federal networks and critical infrastructure.” Karen Evans, OMB’s administrator for e-government and information technology, said the cyber initiative is focused on closing many of the remaining gaps in federal networks. Evans pointed to several governmentwide initiatives as examples of a defense in-depth approach, including the implementation of the Federal Desktop Core Configuration for Microsoft Windows, using data encryption and reducing the number of external Internet connections. Still, Rep. Jane Harman (D-Calif.) said she was unsatisfied with both the progress so far and the amount of time it will take to implement certain parts of the cyber initiative. “There is no sense of urgency and there isn’t a timely response to these problems,” she said. “I don’t see DHS being able to do this within its own agency or across government. I’ve very concerned.” Robert Jamison, the undersecretary for the National Protection and Programs Directorate, tried to ensure lawmakers that the administration is taking cybersecurity seriously, and that the initiative would not violate citizens’ privacy. “The department established a number of programs and initiatives to coordinate efforts with federal departments and agencies to improve cybersecurity,” Jamison said. “These programs focus on enhancing situational awareness, increasing collaboration across federal operational security teams, preventing cyber incidents and providing interagency coordination during a cyber event.”