Committee Finds Efforts to Secure Nation's Information Technology Systems Inadequate
Press Release
The House Energy and Commerce Subcommittee on Oversight and Investigations today continued its hearing series examining current cyber threats and vulnerabilities to our nation's infrastructure. The hearing entitled, "IT Supply Chain Security: Review of Government and Industry Efforts" assessed potential threats and vulnerabilities to federal information technology (IT) systems and examined the steps a number of agencies have taken to address and minimize IT supply chain related security risks. In February 2011, the Director of National Intelligence noted that there has been a dramatic increase in cyber activity targeting U.S. computers and systems, including more than tripling of the volume of malicious software since 2009.
Last week, the Government Accountability Office released a report examining the risk and threats to the supply chains of both commercial and federal IT systems. The GAO examined the four agencies involved in national security - the Departments of Defense, Energy, Homeland Security, and Justice -- and their capability to assess the risk to their own IT supply chains and the steps they have taken to mitigate them. GAO found that while DOD, DOE, DHS, and Justice each participate in interagency efforts to address supply chain security, some of these agencies have made more progress than others in addressing IT supply chain security risks.
Gregory Wilshusen, Director of Information Security Issues at GAO elaborated on DOE's situation, stating, "In May 2011, the Department of Energy revised its information security program, which requires Energy components to implement provisions based on NIST and Committee on National Security Systems guidance. However, the department was unable to provide details on implementation progress, milestones for completion, or how supply chain protection measures would be defined. Because it had not defined these measures or associated implementing procedures, the department was also not in a position to monitor compliance or effectiveness."
Oversight and Investigations Subcommittee Chairman Cliff Stearns stated, "There appears to be no integrated response amongst the federal IT enterprise to address supply chain risks. Agencies are left to their own devices to address this risky and complex threat. I find this troubling."
Chairman Stearns also expressed alarm to find that the GAO concluded that the Department of Energy had not developed clear policies that define what security measures are needed to protect against supply chain threats. When questioning Gil Vega, DOE Associate CIO for Cybersecurity & Chief Information Security Officer, Chairman Stearns asked if DOE could determine when their efforts to protect the IT supply chain would be complete. Vega could not offer a prediction. Chairman Stearns then asked how long DOE had been working to protect the supply chain and Vega replied, "two weeks."
Source