Committee Finds Efforts to Secure Nation's Information Technology Systems Inadequate

March 27, 2012

WASHINGTON, DC - The House Energy and Commerce Subcommittee on Oversight and Investigations today continued its hearing series examining current cyber threats and vulnerabilities to our nation's infrastructure. The hearing entitled, "IT Supply Chain Security: Review of Government and Industry Efforts" assessed potential threats and vulnerabilities to federal information technology (IT) systems and examined the steps a number of agencies have taken to address and minimize IT supply chain related security risks. In February 2011, the Director of National Intelligence noted that there has been a dramatic increase in cyber activity targeting U.S. computers and systems, including more than tripling of the volume of malicious software since 2009.

Last week, the Government Accountability Office released a report examining the risk and threats to the supply chains of both commercial and federal IT systems. The GAO examined the four agencies involved in national security - the Departments of Defense, Energy, Homeland Security, and Justice - and their capability to assess the risk to their own IT supply chains and the steps they have taken to mitigate them. GAO found that while DOD, DOE, DHS, and Justice each participate in interagency efforts to address supply chain security, some of these agencies have made more progress than others in addressing IT supply chain security risks.

Gregory Wilshusen, Director of Information Security Issues at GAO elaborated on DOE's situation, stating, "In May 2011, the Department of Energy revised its information security program, which requires Energy components to implement provisions based on NIST and Committee on National Security Systems guidance. However, the department was unable to provide details on implementation progress, milestones for completion, or how supply chain protection measures would be defined. Because it had not defined these measures or associated implementing procedures, the department was also not in a position to monitor compliance or effectiveness."

Oversight and Investigations Subcommittee Chairman Cliff Stearns stated, "There appears to be no integrated response amongst the federal IT enterprise to address supply chain risks. Agencies are left to their own devices to address this risky and complex threat. I find this troubling."

Chairman Stearns also expressed alarm to find that the GAO concluded that the Department of Energy had not developed clear policies that define what security measures are needed to protect against supply chain threats. When questioning Gil Vega, DOE Associate CIO for Cybersecurity & Chief Information Security Officer, Chairman Stearns asked if DOE could determine when their efforts to protect the IT supply chain would be complete. Vega could not offer a prediction. Chairman Stearns then asked how long DOE had been working to protect the supply chain and Vega replied, "two weeks."

Watch DOE reveal the Dept. has only worked two weeks
on protecting its critical IT supply chain HERE

During the hearing, Stearns also outlined several examples of where information technology services had been compromised:

  • In July 2010, Dell announced that some of its PowerEdge motherboards contained¬†malicious spyware that gathered information about a victim's Internet browsing habits and collected personally identifiable information.
  • During a security conference in May 2010, IBM gave complimentary USB drives to attendees that contained two kinds of malware, including a keylogger program.
  • In March of 2010, Spanish Cell Phone company, Vodafone, released a new version of a popular smartphone infected with a version of the Butterfly botnet, in addition to other malicious software.

In concluding his testimony, GAO's Wilshusen warned, "The global IT supply chain introduces a myriad of security vulnerabilities to federal information systems that, if exploited, could introduce threats to the confidentiality, integrity, and availability of federal information systems. Thus the potential exists for serious adverse impact on an agency's operations, assets, and employees. These risks highlight the importance of national security-related agencies fully addressing supply chain security by defining measures and implementation procedures for supply chain protection and monitoring compliance with and the effectiveness of these measures. Until these agencies develop comprehensive policies, procedures, and monitoring capabilities, increased risk exists that they will be vulnerable to IT supply chain threats."

###