EPA cleans up security mess

Six months after computer security at the Environmental Protection Agency

was judged to be so flawed as to be ineffective, the agency continues a

massive security overhaul.

Security lapses left the EPA so vulnerable that, in February, the agency

shut down its World Wide Web sites and cut off outside access to its computer

systems to prevent them from being damaged in online attacks.

In the months since then, an information security team has ordered more

than 100 changes in security practices. Still, about 30 percent of the services

that were disconnected remain offline, according to George Bonina, the EPA's

director of information security.

Dial-in access to the EPA's computer systems is one of the services

not fully restored. It is proving difficult to secure. Permitting remote

access can "open up huge holes in the firewalls. We don't have that fixed

yet," Bonina told a group of federal Webmasters on June 22.

Public access to the EPA's Web sites has been restored, however. "The

public was clamoring for access" after the Web sites were shut down, he


The EPA's vulnerabilities were discovered late last year during a security

audit by the General Accounting Office. GAO investigators penetrated the

EPA's systems that contained sensitive and national security-related information.

The agency's computer vulnerabilities were not obvious, even to many

in the EPA. "Our actual security program on paper was pretty good. We just

weren't implementing it," Bonina said.

Vulnerability came from a multitude of sloppy practices. For example,

"we got clobbered because of passwords," he said. Even system administrators,

who should know better, used passwords that were easy to guess. One used

"sysadmin," he said.

Passwords were changed, and now system administrators are required to

certify that they are following sound password practices.

Another weakness was created by the EPA's failure to keep access to

its systems up-to-date. "We had a lot of people who were long gone from

the agency who still had accounts" that gave them access to the EPA's computers,

Bonina said. Some were contractors, some were former employees and some

were simply outsiders, he said. And "a lot of people were sharing accounts,"

which made it difficult to control access.

The EPA operates about 1,500 servers; during the security overhaul,

agency officials discovered that "not all of them were configured to agency

standards," Bonina said. That has been cleaned up, he said.


  • Workforce
    online collaboration (elenabsl/Shutterstock.com)

    Federal employee job satisfaction climbed during pandemic

    The survey documents the rapid change to teleworking postures in government under the COVID-19 pandemic.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    OPM nominee plans focus on telework, IT, retirement

    Kiran Ahuja, a veteran of the Office of Personnel Management, told lawmakers that she thinks that the lack of consistent leadership in the top position at OPM has taken a toll on the ability of the agency to complete longer term IT modernization projects.

Stay Connected