Reps. Jason Chaffetz (R-Utah) and Jody Hice (R-Ga.) sent a letter to Department of Homeland Security Inspector General John Roth on Thursday demanding an official investigation into alleged attempts by DHS to hack Georgia’s firewall.
“We request you investigate Secretary Kemp’s allegations that the Department of Homeland Security (DHS) conducted unauthorized scans of his office’s computer network,” the letter states.
“We also question the Department’s ability to remain neutral in investigating its own potential misconduct and think an independent investigation of these incidents is warranted.”
Specifically, Chaffetz and Hice want Roth to investigate whether or not DHS “conduct[ed] an unauthorized scan of the Georgia Secretary of State’s computer network(s)? If so, who authorized the scan(s)? Has the Department conducted an unauthorized scan(s) of any other state’s systems?” and “if so, which states did DHS scan without authorization?”
A Capitol Hill staffer with knowledge of the motivations behind the letter confirmed that the House Committee on Oversight and Government Reform, Secretary Kemp, and the Georgia congressional delegation are growing increasingly frustrated with how DHS has hitherto handled the case.
“Last month, Georgia Secretary of State Brian Kemp wrote a letter to Secretary of Homeland Security Jeh Johnson, in which he identified an ‘unsuccessful attempt to penetrate the Georgia Secretary of State’s firewall’ originating from a DHS-registered IP address,” the letter explains.
“On Dec 12, 2016, Secretary Johnson responded to the [Georgia] Secretary of State’s letter, in an attempt to answer that question. In his response, Secretary Johnson explained the incident identified in Secretary Kemp’s first letter was ‘normal… interaction’ by a DHS contractor with the Georgia Secretary of State’s website,” the letter states.
“Johnson’s response was unequivocal that ‘there was no scanning’ or security assessment of the Secretary of State’s network by DHS’s cybersecurity experts,” the letter notes. Johnson told the congressmen that DHS “traced the activity back to a contractor at the Federal Law Enforcement Training Center in Glynco, Georgia, who was engaged in verifying individuals’ professional licenses but used a less common but still legitimate method of doing so called HTTP OPTIONS.”
The “use of HTTP OPTIONS … triggered false positives for suspicious activity on the Georgia Secretary of State’s servers,” Johnson claimed at the time. But according to Reps. Chaffetz and Hice, Johnson’s response left much to be desired — Johnson has yet to release any information to prove the explanation he gave to Secretary Kemp.
“In Secretary Johnson’s one-page response and his staff’s telephonic briefings, DHS did not provide adequate information to verify or validate any of those statements. Indeed, the Secretary acknowledged in the letter that those were ‘initial findings’ and that his letter was an ‘interim response … subject to change,'” write Chaffetz and Hice.
Although the Oversight Government Reform Committee is formally requesting Inspector General Roth’s aid in the matter, it is clear their experience with Johnson and the fact that they have received no updates since DHS’ initial response has left Chaffetz and Hice with little faith in DHS’ abilities.
“We also question the Department’s ability to remain neutral in investigating its own potential misconduct and think an independent investigation of these incidents is warranted,” they write, while reminding Roth that “the Committee on Government Oversight and Reform is the principal oversight committee of the House of Representatives” and may at “any time” investigate “any matter” as set forth in House Rule X.