Roughly three weeks after reports surfaced of a Pentagon IT system being hacked, allegedly by the Chinese, DHS is reporting that it too is the victim of an unauthorized network intrusion that allowed the hacker(s) to copy and transfer files to an outside Chinese language Website. The hacks in question accrued over three-month period during 2006.
As reported by the Washington Post, on September 24, 2007, DHS is claiming its vendor failed to install the contracted number of intrusion detection systems, which allowed the network break-in. Moreover, once it was discovered that an intrusion had occurred the severity of the breach was dramatically downplayed.
The process now is centered on determining fault, and truth be told both parties are to blame. Perhaps the contractor did not meet the terms of the contract for intrusion detection services. But, the fact DHS was even unaware that its vendor was not meeting its contract obligations is a problem inherent to fact that DHS, and most federal agencies, lack adequate program management; especially in regards to IT security.
Since its inception, DHS's problems areas have run the gauntlet from the integration of its various network systems to the management of its procurement process. The fact that DHS seems to not know what happened with its own systems is emblematic of an agency that has struggled to blend the remnants of 22 different organizations and failed to provide enough vendor oversight along the way.
It's foolish to believe that such an event could only happen in DHS as a shortage of procurement officials and security program managers exists government-wide. This one event will most likely not prompt other agencies to be more vigilant in auditing their vendor supplied security systems, however one has to wonder how severe of an attack will finally have to occur before agencies get serious about IT security.