Unisys Blamed for DHS Data Breaches
This story has been percolating around for a few days. Basically, Unisys was hired by the U.S. Department of Homeland Security to manage and monitor the department’s network security. After data breaches were discovered, DHS blamed Unisys—and I figured that everyone would be in serious CYA mode and that we’d never know what really happened. But it seems that there was a cover-up at Unisys, and that’s a big deal:
As part of the contract, Unisys, based in Blue Bell, Pa., was to install network-intrusion detection devices on the unclassified computer systems for the TSA and DHS headquarters and monitor the networks. But according to evidence gathered by the House Homeland Security Committee, Unisys’s failure to properly install and monitor the devices meant that DHS was not aware for at least three months of cyber-intrusions that began in June 2006. Through October of that year, Thompson said, 150 DHS computers—including one in the Office of Procurement Operations, which handles contract data—were compromised by hackers, who sent an unknown quantity of information to a Chinese-language Web site that appeared to host hacking tools.
The contractor also allegedly falsely certified that the network had been protected to cover up its lax oversight, according to the committee.
What interests me the most (as someone with a company that does network security management and monitoring) is that there might be some liability here:
“For the hundreds of millions of dollars that have been spent on building this system within Homeland, we should demand accountability by the contractor,” [Congressman] Thompson said in an interview. “If, in fact, fraud can be proven, those individuals guilty of it should be prosecuted.”
And, as an aside, we see how useless certifications can be:
She said that Unisys has provided DHS “with government-certified and accredited security programs and systems, which were in place throughout 2006 and remain so today.”
Aneel • October 3, 2007 8:16 AM
Unisys or any technical consulting/integration company (I work for IBM) screwing up a gig and then the engagement team covering it up–is nothing like unusual. Discovering and preventing it is easy, if you want to. What could make this interesting is how far up the Unisys ladder the cover-up decision goes.
Unisys should’ve done an independent technical review, post-engagement. But that’s expensive.
DHS is distracting from their own incompetence and failure to review and test the system–or at least demand that Unisys both do so and provide proof of having done so (live test in production)–before signing off on completion. Their management of the project carries a certain load of the guilt here.