A Sept. 24 Page One article about a data breach at the Department of Homeland Security failed to credit the source of a quotation. It was Government Computer News in August 2006 that quoted Air Force Maj. Gen. William Lord as saying at a technology conference, "They are looking for your identity so they can get into the network as you." A Washington Post reporter did not attend the conference.
| Page 2 of 2 < |
Contractor Blamed in DHS Data Breaches
Unisys, which builds and manages the computer networks for the Homeland Security Department, has been accused of failing to detect and covering up cyber-intrusions at DHS.
(By Mike Mergen -- Bloomberg News)
TOOLBOX
   Resize
COMMENT
 Discussion Policy
 CLOSE
Comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions. You are fully responsible for the content that you post.
Who's Blogging  |
DHS spokesman Russ Knocke rejected the assertion. "We've taken the committee's allegations very seriously," he said. "At the committee's request, we have provided them with copies of every incident report since the department was created. . . . We have today fully operational security operations capability. That means that every incident, no matter how small, is reported to our operations center."
The FBI is investigating Unisys for criminal fraud, according to a committee aide. The panel began its inquiry into the matter in April. And Homeland Security's Internal Affairs division is conducting a probe as well.
FBI spokesman Richard J. Kolko said he could not confirm or deny whether the FBI is investigating the matter.
In the 2006 attacks on the DHS systems, hackers often took over computers late at night or early in the morning, "exfiltrating" or copying and sending out data over hours -- in one case more than five hours, according to evidence collected by the committee.
The House panel said its investigation has yielded the following results:
It is not clear how the hackers breached the DHS systems. But once inside, they used special software to crack a user account password for a network administrator who had privileges to modify key system files on thousands of computers on the DHS network.
Then the attackers began installing malicious software on dozens of computers that not only masked the intrusion but also copied and transferred files to an outside Web site.
In July 2006, a Unisys employee detected a possible intrusion but "downplayed it and low-level DHS security managers ignored it," the committee aide said.
It was not until Sept. 27, 2006, that two DHS systems managers noticed that their machines had been accessed with a hacking tool.
Unisys information technology employees began a probe and determined that the break-in affected more computers. They discovered that it reached back as far as June 13 that year and had continued through at least Oct. 1, eventually reaching 150 computers.
Among the security devices Unisys had been hired to install and monitor were seven "intrusion-detection systems," which flag suspicious or unauthorized computer network activity that may indicate a break-in. The devices were purchased in 2004, but by June 2006 only three had been installed -- and in such a way that they could not provide real-time alerts, according to the committee. The rest were gathering dust in DHS storage closets and under desks in their original packaging, the aide said.
Although the hackers lifted data from unclassified systems, Paul Kurtz, a former White House cyber-security adviser, said that even unclassified data, if stolen in large enough quantities, could provide important clues about U.S. military and corporate trade secrets.
"Clearly there's cause for concern as to how Unisys has conducted itself and the security it has provided," committee member Rep. Jim Langevin (D-R.I.) said in an interview. "There were some basic things that should have been done -- installation of these intrusion-detection devices -- that very well would have given us a strong indication and an alert that our systems were penetrated."
Unisys spokeswoman Meyer disputed the committee's version of events. She said that Unisys had installed five network-intrusion devices and added a sixth in September 2006. Moreover, she said, under the follow-on contract, "DHS, citing lack of funding, elected to stop paying for security monitoring services," but that the firm continued to provide the monitoring anyway.
Knocke said that the claims are "entirely baseless and disingenuous." He added that although "Unisys is not prohibited" from bidding on the next IT contract, "previous performance can be a factor" in selection.
The committee obtained documents indicating that Unisys was trying to "hide gaps" from the government in an apparent attempt to obscure the scope of the network security breaches, an aide said. Unisys also failed to disclose to DHS that the data were being sent to the Chinese-language Web site, the aide said.
Langevin, who chairs the panel's subcommittee on emerging threats and cyber-security, complained that senior DHS officials failed to recognize the situation's gravity. In a letter sent Friday to Skinner, Langevin and Thompson also said that DHS officials "preferred to complete the fiscal year's financial transactions rather than immediately take steps to mitigate the problem."
Knocke disputed that assertion. "We have spent innumerable man hours responding to the committee's inquiries and requests. . . . We are aware of, and have responded to, malicious cyber-activity directed at the U.S. government over the past few years. We remain concerned that this malicious activity is growing more sophisticated and frequent."
In fact, the techniques and tools used in the DHS break-ins were similar to incidents at the Defense and Commerce departments, the lawmakers said.
Experts said the attacks, which have also hit Germany, Britain and France, are part of a series that began several years ago, when U.S. officials reported that the unclassified Pentagon and contractors running national labs had been under relentless attack from computers in China. The intelligence and computer-security communities remain divided over whether the intrusions, code-named Titan Rain by federal investigators, were carried out by state-sponsored cyber-spies or merely opportunistic hackers.
A senior military technology officer warned last fall that China downloaded "10 to 20 terabytes of data" from the Pentagon's non-classified Internet Protocol router network. "They are looking for your identity so they can get into the network as you," Maj. Gen. William Lord, Director of Information Services and Integration in the Air Force Office of Warfighting Integration, said at an Air Force technology conference. "There is a nation-state threat by the Chinese."
The Chinese government has vigorously denied the charges of cyber-espionage and Chinese officials have leveled their own allegations of cyber-hacking against the United States.
Krebs is a staff writer for washingtonpost.com. Staff researcher Richard Drezen contributed to this report.
