Lawmakers to DHS: Investigate response to cyberattacks

The House Homeland Security Committee has requested that the Homeland Security Department's inspector general investigate cyberattacks on DHS that originated from Chinese-language Web sites and actions by Unisys that the committee called incompetent and possibly illegal and may have failed to detect the intrusions. Unisys built and maintains the networks for DHS headquarters and the Transportation Security Administration.Committee Chairman Bennie Thompson (D-Miss.) and James Langevin (D-R.I.), chairman of the committee's Emerging Threats, Cybersecurity, and Science and Technology Subcommittee, also seek a review of the department officials who oversee management of the contract, the lawmakers said in their Sept. 21 letter to DHS Inspector General Richard Skinner.Unisys provided inaccurate and misleading information to DHS about the source of the attacks and attempted to hide security gaps, the lawmakers said in their letter. Furthermore, DHS officials did not act on the information once they were informed."When presented with the reality that hackers were within their systems, department officials preferred to complete the fiscal year's financial transactions rather than immediately take steps to mitigate the problem," the lawmakers wrote. That decision could have further compromised critical DHS' financial information.DHS said it has been working with the committee. "We take the committee's allegations very seriously and have cooperated fully. We will continue to work with the department's inspector general and the committee as necessary concerning these allegations," a DHS spokesman said.Since last year, Chinese hackers have attacked systems at the Defense, Commerce and State departments, the lawmakers said. In the past several months, the committee has examined and held hearings on DHS cybersecurity incidents and how the department has beefed up its network security in response. Since April, Scott Charbo, DHS' chief information officer, has provided information to the committee on information technology security efforts.DHS incident reports that the committee received earlier this month described the placement of a hacking tool, a password-dumping utility and other malicious code on more than a dozen computers at the department's headquarters, the letter states. The committee found that hackers compromised dozens of DHS computers, and these incidents were not noticed until months after the initial attack."These computers may still be compromised due to insufficient mitigation efforts by the contractor responsible for information technology services at the department," the lawmakers wrote in the letter.Hackers extracted information out of DHS systems to a Web hosting service that connects to Chinese Web sites.Although network intrusion-detection systems were part of the department’s Information Technology Managed Services contract, the systems were not fully deployed at the time of the initial incidents."If network security engineers were running these systems, the initial intrusions may have been detected and prevented," the lawmakers wrote.Unisys said it performed its contract according to protocol, said company spokeswoman Lisa Meyer, who could not speak about specific incidents because of federal security regulations."We can state generally that the allegation that Unisys did not properly install essential security systems is incorrect," she said in a statement. "In addition, we routinely follow prescribed security protocols and have properly reported incidents to the customer in accordance with those protocols."The company has worked closely with DHS security personnel to develop effective security systems and processes that meet the department's requirements, she said. The contractor's government-certified and accredited security programs and systems have been in place throughout the period in question in 2006 and continue today."We believe that a proper investigation of this matter will conclude that Unisys acted in good faith to meet the customer’s security requirements," Meyer said.