Sounds pretty bad and is good fodder for headlines. But what was the outcome of the contracts attaching unauthorized laptops to the network? Obviously the unauthorized device was detected. Did the user gain access to any network resources, was the device logically isolated and physically removed shortly after detection? The answers to these questions matter but they are just the tip of the proverbial iceberg.

The real issue is how DHS implements security management. How well do they manage security policies, enforce procedures, monitor network activity, manage identities and access controls, implement change management, and patch applications? These kinds of questions don’t grab headlines but they make all the difference in effective security.

Here are some comments that should worry us (again from CNET News):

Government Accountability Office auditors at Wednesday's hearing said various components of Homeland Security still aren't doing enough to limit access to their systems, authenticate and identify users, encrypt sensitive data and keep logs of user activity.

And the US-Visit program, which is used to verify the identity of foreigners, suffers from easily fixed problems:

The flaws are mostly due to "bad configurations" that could be fixed both easily and cheaply, he said. But because of the deficiencies, there's no way of knowing whether the database associated with the computer systems has already been hacked, he said.

And the cherry on top, from Keith Rhodes, one of the authors of a GAO report on DHS information security.

"I did not see controls in place that would prevent (hacking), I did not see defensive perimeters, and I did not see detections systems in place that would let you know whether it had or had not" been hacked.