Vulnerabilities in the DHS Networks

Wired.com has the story:

Congress asked Homeland Security's chief information officer, Scott Charbo, who has a Masters in plant science, to account for more than 800 self-reported vulnerabilities over the last two years and for recently uncovered systemic security problems in US-VISIT, the massive computer network intended to screen and collect the fingerprints and photos of visitors to the United States.

Charbo's main tactic before the House Homeland Security subcommittee Wednesday was to downplay the seriousness of the threats and to characterize the security investigation of US-VISIT as simultaneously old news and news so new he hasn't had time to meet with the investigators.

"Key systems operated by Customs and Border Patrol were riddled by control weaknesses," the Government Accountability Office's director of Information Security issues Gregory Wilshusen told the committee. Poor security practices and a lack of an authoritative internal map of how various systems interconnect increases the risk that contractors, employees or would-be hackers can or have penetrated and disrupted key DHS computer systems, Wilshusen and Keith Rhodes Director, the GAO's director of the Center for Technology and Engineering told the committee.

Posted on June 22, 2007 at 10:37 AM • 16 Comments

Comments

merkelcellcancerJune 22, 2007 11:07 AM


US-VISIT workstations capture fingerprints and digital photos of people coming into the United States as part of a computerized screening process aimed at keeping terrorists from entering the country.

A Morocco-born computer virus that crashed the Department of Homeland Security's US-VISIT border screening system last year first passed though the backbone network of the Immigrations and Customs Enforcement bureau, according to newly released documents on the incident.

The documents were released by court order, following a yearlong battle by Wired News to obtain the pages under the Freedom of Information Act. They provide the first official acknowledgement that DHS erred by deliberately leaving more than 1,300 sensitive US-VISIT workstations vulnerable to attack, even as it mounted an all-out effort to patch routine desktop computers against the virulent Zotob worm.

http://www.wired.com/science/discoveries/news/2006/11/72051

RoxanneJune 22, 2007 11:09 AM

Oh, come on. He's the INFORMATION officer. He knows how to read a press release. Period. End of sentence. He would be completely out of his depth in trying to attach a printer to his own computer, let alone anything more complex.

I want to hear from the DHS TECHNOLOGY officer. My guess, if they have one, they won't tell anyone who he is, for security reasons. :-)

Stephen SmoogenJune 22, 2007 11:38 AM

Ahh... but the CIO is usually the one in charge of all the computers. The CTO is usually in charge of new stuff but as soon as it goes into production it is the CIO's responsibility. And then you have the Chief Security Officer who might not have anything to do with physical or information security..

This is the standard for both government and many companies... it makes it really hard to know what/who a position really does as they rarely have a 'Mandated meaning'.

AndyJune 22, 2007 11:52 AM

Bruce,

I'm not exactly sure what the degree in plant science has to do with anything. There are lot of folks working in this field whose main background isn't math and/or CS. Does that mean we're all incompetent?

RichJune 22, 2007 12:08 PM

@Andy
Excellent people in various IT position have degrees in non-IT fields. However, the good people usually have some experience as a substitute for the degree. The brief bio linked above didn't indicate much relevant experience as a substitute for the degree. The experience may be there, but this administration has a reputatation for appointing positions based on political qualities rather than skills pertaining to the job.

dragonfrogJune 22, 2007 12:16 PM

I loved this line from the article

"Terrorists or nation states could get int there and change or alter their names rendering our watchlists and visa program useless," Etheridge said.

a) What, more useless than they already are?

b) I like the idea of nation states changing their names - "You're a civil servant from Iran, you say? Let's see, we've got Iraf and Iraq on the naughty list, but no Iran. Enjoy your stay, sir!"

yoshiJune 22, 2007 12:34 PM

@andy

But they are not usually CIOs. CIOs will generally have a degree in business with something technical thrown in. Or have been in the industry for a long time. I've heard his answers before - they are the canned answers every CIO gives when they don't really understand what's going on. He does not understand managing risk.

JJune 22, 2007 1:31 PM

I have yet to work in a position where everyone in my management chain has fewer work-related credentials, and usually less experience, in than I. (No, I'm not 80 years of age with a PhD.) I've been told that you don't have to know a thing about what you're managing to be an effective manager.

Creating DHS was a well-meant solution to a problem that wasn't well-understood. Now no one who could do a good job in pulling things back together wants anything to do with the management of the organization.

georgeJune 22, 2007 3:13 PM

No, I'm sure being the environmental director for Tri-state Delta Chemicals is exactly the experience someone needs to succeed at leading the IT folks at the DHS. He's probably even more experienced in IT security matters than someone like Whit Diffie.

AndyJune 22, 2007 3:33 PM

My point wasn't that he *is* qualified, but that having a degree in biology or whatnot shouldn't automatically disqualify him. Bruce didn't point out his lack of experience, he threw in only the degree as if to insinuate something.

Mark J.June 22, 2007 10:35 PM

@Andy

I was going to bring up the same point, but I'm late to the party.

Still, like Rich said, this guy doesn't appear to have the experience either.

And I agree with your second post as well, Bruce did imply that the non-CS degree itself was reason to suspect his credentials.

FWIW, I've been a sys admin for a decade and my degree is in geology. Doesn't mean I'm not good at what I do. In fact, I'm a far better sys admin than I am a geologist. ;-)

Clive RobinsonJune 23, 2007 3:56 AM

@ J,

"I''ve been told that you don't have to know a thing about what you're managing to be an effective manager."

Actually that is true, you use "Domain Experts" the manager manages them and the overal process.

So the manager of an ICT Department has a number of high end servers networks telephone systems etc that are business critical. They have under them System Administrators, Project Managers, Programers, Network Administrators, Administration Assistants and a few others such as Security auditor / administrator.

Of that list only one is not in some way a Domain Expert (the Project Manager). The clue is in the title, their area of expertese is in managing "some process" that involves "some thing". The "some thing" is what the domain experts look after the manager in turn looks after (manages) "some process" that includes the domain experts. The process in essence is policy in motion (sorry for the bad pun) or put into action. Stake holders, Directors and some Senior Managers are responsable for deciding the direction and policy of the organisation

In theory (only these days) the leader of an organisation was outwards facing and interfaced with the rest of the world and the number two of the organisation. The number two was inwards facing and basically managed the organisation and it's processesses. Where required the number two would delegate downwards specific parts of the organisations function and processess.

Unfortunatly in the current world it's all about "Power Grab" and "Climbing the greasy pole", which means that it's politics politics politics at the top not reason or common sense (and there ain't much common about it these days 8)

Any techie who thinks they are respected for their knowledge is spending way to long in the office working unpaid overtime, instead of being down at the watering hole during happy hour networking with the movers and shakers...

Clive RobinsonJune 23, 2007 4:20 AM

@Andy,

"There are lot of folks working in this field whose main background isn't math and/or CS. Does that mean we're all incompetent?"

Spot on, most CS / Math graduates these days are not normally of any real use untill they have worked for about three or four years at the "coal face" of the work place.

Graduates from other engineering or science fields are usually much better bets for employment, as they have actually had to "work with" not play with the tools to get the results required to finish their courses with good results.

I do not know what was involved with Scott Charbo, and his "Masters in plant science" but it probably involved the use of statisitical and other tools as well as investigative methods that just don't get taught on your average "IT grunt" graduate course where the ability to get code cut to get past the compiler with a nice UI presentation is what gets the course points, not the fundementals of data structures, algorithms, scientific method etc etc etc.

In my limited experiance I have found the best technical staff to employ have studied engineering or applied mathmatics with the other hard science bods comming a very close second. As for "IT grunt graduates" they have way to much to unlearn and then re-learn. Invariably (in the U.K.) these days the course they have been on has been designed for an accountants view of an "employers needs" which means that they do not get taught enough of the fundementals just the current vogue tools and toys.

There are the exceptions but they come from Universities with a long tradition of academic engineering and scientific excelence that have justifiable world wide reputations. Sadly a lot of the graduates from those Universities realise which side of the bread the jam is on and usually move into managment as quickly as possible.

guvn'rJune 25, 2007 12:10 PM

In all fairness to Bruce, the quote was from the Wired story, including the bit about the credentials. So it's just another bit of smear journalism.

simongabrielJune 25, 2007 4:39 PM

Well, what I read is that he has a biology BS, and a Masters in the same field. He then went on to work for biology-based companies, including being president of one. He then also got a job at the USDA as the "Farm Service Agency director of the Office of Business and Program Integration ". Ok, not much of a leap, I suppose. He ran a business and should know about this sort of thing.

Now, since I did more than just RTFA and actually googled a bit, I found a nice little interview with Scott that goes into this very detail:

Charbo: "By education, I am a science major. I think there is an affinity there — to study different types of systems and how they work. I think that fits well when you are looking at all the different IT systems that we have at DHS.

After being a state and county employee, I went into industry. I cut my teeth on business and delivering results, but it was still kind of managing and reorganizing systems. It was a trucking system or a warehousing system or some type of logistics system. It’s funny, I’ve met other people who are biochemists or microbiologists or something like that, and they’ve done well in IT. So, I think there is something there in terms of an affinity toward the study of systems."

http://www.fedtechmagazine.com/article.asp?item_id=270

I won't say he seems the most qualified for the spot, as it seems he is just being a 'manager' and obviously not getting these issues resolved, but he doesn't seem completely incompetent either.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.