Thompson and Lofgren ask Is Cyber Security A Priority for DHS?
Monday, June 12, 2006
Struck by recent reports of data theft and vulnerability at a number of Federal agencies, Congressman Bennie G. Thompson (D-MS), Ranking Member of the Committee on Homeland Security, and Congresswoman Zoe Lofgren (D-CA), Ranking Member of the Subcommittee on Intelligence, Information Sharing, and Terrorism Risk Assessment, sent the following letter to Secretary Michael Chertoff of the Department of Homeland Security, looking for assurances that the Department is taking all the necessary steps to protect the personally-identifiable information of Americans.
_____________
June 9, 2006
Secretary Michael Chertoff
Department of Homeland Security
Washington, DC 20511
Dear Secretary Chertoff:
Like most Americans, we are very concerned about the recent large-scale thefts of personal identity data. The revelation that the personal information of 26.5 million veterans, including nearly 2.2 million active-duty military members, government employees, and other private citizens was stolen, exposing them to a high risk of identity theft, is extremely troubling. Moreover, we worry about how the security breach at the Department of Veterans Affairs (“VA”) affects the Department of Homeland Security’s (the “Department”) policies as they relate to the collection, retention, and use of personally-identifiable information. As demonstrated by the recent breach, such information, if compromised, raises serious national security issues.
In the VA theft, it has been reported that the personal information of nearly 80 percent of active-military forces- including names, birthdates, and Social Security numbers-was stolen. In terrorists’ hands, this information could be used for a host of illegal activities, including possibly entering the country and planning or conducting further attacks under assumed identities. It could also be used to inflict direct injury to military personnel and their families. Certainly, we can agree on the financial and homeland security interests in protecting this data. As such, we would like to know what involvement the Department of Homeland Security has had in the VA matter and what resources it has dedicated to helping the 2.2 million men and women serving our nation whose information has been compromised.
We have raised this issue in the past, but remain concerned about the Department’s own efforts to protect the personally-identifiable information it has gathered from hundreds of thousands of Americans. We strongly believe that the Department must consider using all available options to prevent situations like the VA theft from happening, especially the use of the latest encryption technology and monitoring software. As the agency tasked with protecting our homeland, the agency regularly receives or has access to such information. For example, people provide detailed personal information to remove themselves from the “no-fly” list or to receive natural disaster relief from the Federal Emergency Management Agency (FEMA). These individuals need to be assured that the Department is taking the necessary steps to protect their information and avoid a VA-like situation.
Furthermore, as the Department is aware, it will soon be collecting detailed personal information for people who wish to gain access to the “Registered Traveler” program or participate in the “Transportation Worker Identification Card” (TWIC) program and for these programs to work data security is critical. Besides these people, the Department has the personal data for its almost 180,000 employees, all of whom provided data to the Department believing that it will keep their information safe from criminals.
As recently reported, encryption technology is crucial to preventing theft of personal information and other sensitive data. We believe that, like the private sector, government data needs to be protected not just from outside attacks, but against inadvertent or deliberate breaches of law or policy. Using the latest encryption technology will help achieve this goal or, at a minimum, help reduce the damage done by such breaches.
In the VA theft, had the agency used sophisticated encryption and monitoring technology to protect the personal information it would have likely prevented or reduced the ramifications from this catastrophe. Because of the Department’s importance in the war on terror and protecting America, we must ensure that the Department is taking all the necessary steps, including using the best technology available. Specifically, we would like the Department to provide the Committee the following information:
· Description and copies of policies, procedures, and guidelines regarding the handling of personal information described above;
· Description of how those policies are communicated to Department personnel and how often;
· Details on the policies, procedures, and guidelines regarding how the Department treats data voluntarily provided by Americans;
· Details on what safeguards, including the use of encryption and other computer software technology, the Department has in place to ensure that this type of information does not physically leave the Department or is otherwise left unsecured;
· Details on how Department policies apply to outside vendors and contractors who will be or are collecting such data; and,
· Details on what lessons the Department has drawn from the recent VA data theft incident and how do you plan to share these lessons and implement any changes with staff as a result of this incident.
On a related matter, we believe the VA incident demonstrates the need for the Department to finally move forward on the cyber security front. We have said over and over again that cyber security is critical to both protecting the homeland and winning the war on terror. To be successful at these two goals, Americans need to understand what the Department is doing to address the greater concern of cyber security. We have repeatedly inquired with the Department how it plans to protect vital national cyber interests and how it can do so without steady leadership. As you know, the Assistant Secretary for Cyber Security and Telecommunications position still remains vacant, almost one year after creation, and the National Cyber Security Division (NCSD) is still led by an “Acting Director.” Also, as you are aware, the Department’s existing Chief Information Officer (CIO) is still currently acting as the Department’s Under Secretary for Management. This means that he is currently performing two senior level positions both with vastly different responsibilities and both with completely separate but vital interests to the Department. Therefore, we are requesting that the Department provide answers to the following questions:
When will the Department finally name the Assistant Secretary for Cyber Security, which you agreed to create last summer as part of your “Second Stage Review?” Please provide a specific date or indicate that you do not plan to fill this position;
What is the Department doing to resolve its lack of steady leadership on cyber security issues?;
What is the Department doing to fill the Under Secretary for Management position with someone other than the current Department CIO?;
What assessment has the Department’s CIO made with respect to using encryption technology and other software to prevent illegal cyber acts?;
What measures, including personnel and facility enhancements, have been taken since January 1, 2005 to identify and protect our nation’s technology interests?;
How many major cyber incidents or attempted major cyber attacks have been stopped since January 1, 2005?; and
What are the Department’s perceived future cyber threats and how could these threats be reduced?
Kindly provide a written response to these inquires by June 23, 2006. If you have any questions, please contact the Democratic Staff Director, Jessica Herrera-Flanigan, at 202-226-2616. I look forward to your response.
Sincerely,
Bennie G. Thompson
Ranking Member
Zoe Lofgren
Ranking Member
Subcommittee on Intelligence, Information Sharing, and Terrorism Risk Assessment
# # #
For More Information:
Please contact Dena Graziano or Todd Levett at (202) 226-2616
