DHS and TSA systems run by Unisys were hit by 844 cyber-security incidents between 2005 and 2006, says a congressional probe.
Lawmakers are accusing government contractor Unisys of incompetence and possible illegal activity related to its handling of Department of Homeland Security network security and hacks originating in China.
Unisys, based in Blue Bell, Pa., won a $1.7 billion contract with the DHS in 2002 to build, manage and protect the networks at the Transportation Security Administration and DHS headquarters. Since then, according to a report by the House Committee on Homeland Security, the systems have been hit by 844 cyber-security incidents in the 2005 to 2006 time period.
"Dozens of DHS computers were compromised by hackers. These incidents
were not noticed until months after the initial attacks," Rep. Bennie Thompson (D-Miss.), chairman of the Committee on Homeland Security, wrote in a Sept. 21 letter to DHS Inspector General Richard L. Skinner.
Thompson asked Skinner to initiate an immediate inquiry into the issue and, if necessary, refer the matter for criminal investigation. According to one news report, the FBI is investigating the matter, but an FBI spokesperson told eWEEK the agency would neither confirm nor deny the existence of an FBI probe.
"These computers may still be compromised due to insufficient mitigation efforts by the contractor responsible for information technologies at [DHS]," Thompson wrote. "Hackers exfiltrated information out of DHS systems to a Web hosting service that connects to Chinese Web sites."
Unisys said in a statement that federal security regulations preclude public comment on specific incidents, but added, "We can state generally that the allegation that Unisys did not properly install essential security systems is incorrect. In addition, we routinely follow prescribed security protocols and have properly reported incidents to the customer in accordance with those protocols."
Thompsons committee became involved in the security of government networks after a series of 2006 hacking incidents that targeted the systems of the Departments of State and Commerce. Thompson said the attacks were "most likely" from China.
"The testimony was disturbing," Thompson wrote. "An official from the
Department of Commerce discussed a cyber-attack against their systems, which was widely reported to have been launched by hackers operating through Chinese Internet servers."
China says its a victim, not villain, in the area of cyber-security. Click here to read more.
Thompson said the hackers used a rootkit program that allows hackers to mask their presence while gaining privileged access to the system. "Although IT specialists discovered the incident in October 2006, they could not determine the date of the initial hack or the amount of information that was exfiltrated out of Commerce systems," he wrote.
The incident prompted the committee to investigate the security of DHS systems. Thompson said the panel was primarily interested in the similarity of attacks on DHS systems and the hacks at Commerce and State.
At a June 20 hearing, Scott Charbo, CIO at DHS, told the panel, "You dont know what you dont know" when asked if DHS servers ever exfiltrated information to Chinese servers. Unsatisfied with Charbos response, the committee continued its investigation.
By September, Thompson had obtained more DHS incident reports that described the placement of hacking tools, password dumping utilities and other malicious code on DHS systems.
"Although DHS contracted for network intrusion detection systems
these systems were not fully deployed at the time of the initial incidents," Thompson wrote. "If network security engineers were running these systems, the initial intrusions [might] have been detected and prevented."
Thompson further claims contractors provided "inaccurate and misleading" information to DHS officials about the source of the attacks and "attempted to hide security gaps in their capabilities."
Unisys said in its statement, "We believe that a proper investigation of this matter will conclude that Unisys acted in good faith to meet the customers security requirements."
Thompsons letter was sent on the same day that a General Accountability Office study found that approximately 227 federal IT projects involving $10.4 billion were either poorly planned or underperforming.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.