Officials from the departments of Commerce, State and Homeland Security testified Thursday before a congressional panel about the rising threat of computer hackers penetrating federal agency information technology systems.
Key U.S. defense and nuclear contractors and other critical infrastructure are under continuous and increasingly sophisticated attacks from other nations, experts say. Terabytes of highly sensitive information have been stolen and some systems are under the control of the hackers.
Rep. James Langevin, D-R.I., chairman of the House Homeland Security Emerging Threats, Cybersecurity and Science and Technology subcommittee, said he believes that infiltration by foreign nationals of agency networks is one of the most critical issues facing the United States.
According to information presented by Langevin and the hearing's witnesses, hackers using Chinese Internet servers launched an attack on the computer systems at the Commerce Department's Bureau of Industry and Security in October 2006. The hackers used a "rootkit" program that allows the attackers to mask their presence to gain access to the system.
Another incident examined by the panel was a June 2006 attack on networks at several State Department locations, including the Washington, D.C., headquarters and the Bureau of East Asian Affairs and Pacific Affairs. The attack was initiated when an employee of the department opened a Microsoft Word email attachment that contained an exploit code, which is a piece of software or data often used to gain control of a computer.
According to officials at State, a temporary fix was put in place but Langevin criticized the department for leaving the system online. "I believe they made the determination that accessibility to data is more important than confidentiality and integrity," Langevin said. "If State really valued the latter, they would have taken the system off line and done a full wash."
Langevin criticized the department for failing to meet the requirements of the 2002 Federal Information Security Management Act, which requires agencies to track down and identify all devices connected to the agency's network. The recently released 2006 FISMA report shows that State did not inventory at least 50 percent of its systems.
"I think these incidents have opened a lot of eyes in the halls of Congress," Langevin said. "We don't know the scope of our networks. We donâ€™t know who's inside our networks. We donâ€™t know what information has been stolen. We need to get serious about this threat to our national security."