Rep. Bennie Thompson | To protect the U.S., DHS needs secure systems

In the late 1960s, the Stanford Research Institute, the University of California at Los Angeles and the Department of Defense worked together to create a network designed to assist the military with its communications during wartime. Their efforts led to ARPANET, which eventually spawned the Internet and the networked systems that today run much of our society.Our electrical grid, telecommunications networks, financial sector, and emergency and national defense services all depend on computer networks'networks that are interconnected and reliant on one another. A weak link anywhere within a network, whether on a home PC or government system, can allow terrorists and other criminals to attack our economic and national security.In response to this threat, Congress enacted a number of laws to assist federal agencies in designing, developing and implementing information security programs. One of those laws, the Federal Information Security Management Act of 2002, plays a critical role in assuring that agencies are doing all they can to protect their part of the networked community.Unfortunately, the Homeland Security Department has failed to make the grade with regard to FISMA and securing its networks. In its annual Federal Computer Security Report Card issued last December, the House Government Reform Committee gave the Department an 'F' for its efforts on information security. This is the second year in a row that the department received a failing grade on the report card, which is based on federal agencies' annual IT security reviews required by FISMA.In June, the Government Accountability Office issued a report examining how well the department is progressing with its information security efforts. Its findings were consistent with what the Government Reform Committee found. The GAO report stated that the department 'has not fully implemented a comprehensive, departmentwide information security program to protect the information and information systems that support its operations and assets.'The fact that the federal agency tasked with protecting our nation from all types of attacks cannot even protect its own systems is troubling.It is even more problematic that many of the components and programs cited by GAO for the worst information security efforts are those tasked with critical homeland security responsibilities. They include the Immigration and Customs Enforcement agency, the Transportation Security Administration, the U.S. Visitor and Immigrant Status Indicator Technology program, and the Emergency Preparedness and Response Directorate.ICE and U.S. Visit are critical elements of our nation's border security. ICE is the investigative arm of the department that must secure the nation's borders and investigate immigration and customs violations. U.S. Visit is a congressionally mandated program designed to track the entry and exit of visitors to our nation using biometrics and personally identifiable information.TSA is responsible for securing our aviation, rail and public transit sectors. EPR is responsible for assisting our nation's first responders'police, firefighters, and emergency medical personnel'with their efforts to protect our local communities.Information security gaps at these DHS entities and programs pose several dangers. First, it is possible that sensitive information, including biometrics and personal information collected and stored about millions of people, could be accessed and compromised by wrongdoers.The recent spate of data breaches at commercial databases should serve as a wake-up call to the department that protecting information is critical to combating identity theft. Recently, the Democratic staff of the House Homeland Security Committee prepared a report showing how terrorists could use identity theft to help carry out their attacks.Entities like ICE and EPR may have information in their systems that relates to sensitive investigations or specific efforts by state and local communities to secure the homeland. If those systems aren't secure, terrorists could access information compromising the safety of law enforcement officials working for the department, as well as that of our local first responders. This is simply unacceptable.GAO's finding that several of these entities have not completed risk assessments or are operating with outdated assessments should be a concern. It is impossible to determine where the department's weak links are if components have not even been identified and assessed for information security risks. It is also difficult for Congress to assist the DHS with its information security efforts if we do not know where to authorize and appropriate funds.The department must take several steps to improve its IT security.The first is ensuring that the CIO has the authority to direct the various components and their individual CIOs to comply with FISMA and departmental policy.Currently, the department's CIO lacks that authority. Each individual agency's CIO operates its own systems and networks. Building in redundancy and interoperability, along with simple departmentwide management, is not possible if the top CIO cannot direct the troops.Second, the CIO, with the secretary's support, must require the component agencies to implement information security practices. The key is developing complete and up-to-date risk assessments.I know from talking to secretary Michael Chertoff and other department leaders that they want DHS to take a risk-based approach to securing our nation. The department should set an example by first undertaking such an approach in its own house.Securing our nation's computer networks and systems is not an easy task. Threats and vulnerabilities, unfortunately, abound. That said, the agency tasked with keeping us safe from terrorists should not itself pose one of the most transparent security risks. n