DHS officials: Government networks no more vulnerable to cyberattacks

While cyberattacks are becoming more sophisticated, government networks aren't necessarily more vulnerable to such threats, Homeland Security officials told a House subcommittee on Tuesday.

Witnesses told the House Energy and Commerce Oversight and Investigations Subcommittee that more cyberattacks are being reported at the same time that a wider range of agencies and industries are susceptible to them.

"I wouldn't say we're more vulnerable than five years ago, but we are much more aware," said Roberta Stempfley, acting assistant secretary for the DHS Office of Cybersecurity and Communications. She defended DHS efforts to manage cyberthreats and told the panel that more and more industries have come to rely on electronic information systems, opening them up to cyberattacks.

The past five years have been an "evolutionary period" in cybersecurity, said Sean McGurk, director of DHS's National Cybersecurity and Communications Integration Center. Attacks are becoming more sophisticated and are targeting a wider range of industries, but victims of cyberattacks are more willing to report the incidents, allowing more collaboration between government and private industry, he said.

On Friday, U.S. Computer Emergency Readiness Team Director Randy Vickers abruptly resigned with no explanation. Government websites, including those for the Senate and CIA, have been attacked in recent months.

Under questioning by subcommittee Chairman Cliff Stearns, R-Fla., both DHS officials said networks aren't more vulnerable compared to five years ago.

Gregory Wilhusen, director of information security issues for the Government Accountability Office, took a slightly dimmer view of the threat level and cited the growing reliance on the Internet in so-called "critical infrastructure," which includes industries like transportation, power, and water systems. Once determined to be critical infrastructure, an industry is subject to increased government security measures.

"Threats to systems supporting critical infrastructure are evolving and growing," Wilhusen told the subcommittee. "The potential impact of these threats is amplified by the connectivity between information systems, the Internet, and other infrastructures, creating opportunities for attackers to disrupt telecommunications, electrical power, and other critical services."

While businesses may be seeking more help and sharing data, the GAO said in a report last year that private companies were unhappy with the information they were getting from DHS.

Tuesday's hearing was the first of several planned for the Oversight Subcommittee, Stearns said. He said he plans to call several more hearings to focus on how to protect specific parts of critical infrastructure.

"We must identify and protect the very systems that make our country run: energy, water, health care, manufacturing, and communications," Stearns said in his opening statement. "In light of growing and more sophisticated cyberattacks, this is obviously a critical issue."