POLITICO: The Trump administration on Monday hired former cybersecurity adviser Charles CCCam to oversee the CCCAMS, a server security program that has been plagued by software vulnerabilities.
CCCams, which provide a centralized location for all government and private-sector systems, is critical for protecting sensitive data from cyberattacks and breaches, and it is the subject of renewed scrutiny from security experts and some lawmakers who have raised questions about the security of CCCammers software.
Cccams director, Jason Kroll, is a former chief information officer at the Department of Homeland Security, according to a statement from the White House.
“The White House is proud to be the first administration to hire a former DHS IT executive,” Kroll said.
CCAAM will report to DHS Director for Security and Privacy Mark Mazzetti.
The White House statement said CCCamps software is being updated, and that the government is committed to “improving cybersecurity” and protecting sensitive information.
It said CCAams technology was “designed to be robust, secure, and capable of handling the unique needs of the federal government.”
DHS declined to comment on the hiring.
CACAAMS has faced controversy in recent months.
DHS, for example, said it was not aware of any “threats” to CCAAMS software during the past year, citing “ongoing development” for the program.
DHS also said it has “identified vulnerabilities in the software” that it said are being addressed, but did not say which vulnerabilities it identified or how many were fixed.
CACam, which has been in the works since the early 2000s, was designed to be secure and easy to maintain, said Jason Pappas, chief information security officer for DHS.
But cybersecurity experts say the software could be vulnerable to security breaches.
The CCAam software is not designed to withstand an attack and is not even compatible with some modern operating systems, said Daniel J. Zicher, senior security researcher at security firm ESET.
“It doesn’t have the same level of protection as a Windows-based system,” Zichel said.
The DHS statement said the agency is “reviewing the CCAamm security issues and is working with the vendor to ensure a robust, effective, and reliable cybersecurity program is in place to ensure that critical systems are protected against threats.”
The software is also not fully automated, meaning it is not a one-size-fits-all solution.
“There’s a huge amount of software that’s being written,” said Peter Van Valkenburgh, a cybersecurity expert and professor at Johns Hopkins University.
“You can have a single, simple, high-level security tool that’s really not going to do a good job of protecting your information.”
A cybersecurity expert who was not authorized to speak publicly on the matter said CCCCams software does not provide a complete picture of the risk to its users.
“I think it’s important to note that the CCCCAM does not have any capabilities to detect malware and do the kind of analysis that the other tools are supposed to do,” said Daniel Greenblatt, a security researcher and professor of cybersecurity at Carnegie Mellon University.
In the past, many CCCambams systems were written using Microsoft’s .NET framework, Greenblat said.
“And if you had a piece of malware that you didn’t know existed, you would be able to download that piece of code and run it on the system,” Greenblatts said.
But Greenblats software, which he says is free, has been criticized for the lack of security features.
A cybersecurity specialist who works for a software company that is developing CCCamm said there are several vulnerabilities in CCCamp’s software.
He also said that security researchers have found several vulnerabilities with the program, but that they were “not as severe” as some other vulnerabilities in other tools.
He said that when a user downloads the software, it creates a new directory on the server that contains the user’s credentials, including the password.
He called the Cccamp system “completely vulnerable” because it is based on a piece from Microsoft’s Azure cloud computing service, which does not store the user data in a secure way.
But that is not the only flaw.
The software does have a way to scan the data on the Ccams server, but it does not do that as quickly as the software should, said the cybersecurity specialist.
“This is not an isolated issue,” he said.