Posted by: David Schneier
Information Security Threats, Security Management
Don’t look now, but it appears that Congress is beginning to pay some serious attention to the security (or lack thereof) of the federal government’s networks. A House subcommittee last month held a hearing on some serious intrusions into the networks at the Department of State and Department of Commerce last year, and the members spent a lot of time asking the federal officials what they knew and when they knew it. From the comments coming out of the hearing, it did not appear that the lawmakers were even close to satisfied with the answers.
Now the House Committee on Homeland Security is looking for some straight answers from the Department of Homeland Security about how that department plans to improve the security of its network. The committee sent a letter to DHS CIO Scott Charbo on Monday demanding reponses to a series of 13 questions, including:
- Has the department mandated two-factor authentication for all privileged personnel and systems administrators? If not, why?
- Has the department implemented a secure coding initiative? What portion of software deployed by the department and its components have been tested using source code analysis tools?
- When was the last time the department used ingress and egress filtering on client personal computers?
- When the department purchases software do the procurement documents require that the purchased software operates effectively on the secure configurations?
The letter is similar to one that the committee sent to the State Department ahead of last month’s hearing, and it’s a clear indication that at least some members of Congress are aware of the vulnerability of the country’s federal networks. Whether any concrete changes come from these actions remains to be seen, but things are starting to get interesting inside the Beltway.