GAO: Public info open to hackers

Hackers can gain access to sensitive medical and financial information on nearly every American because of widespread security weaknesses in agency computer systems, officials told the Senate Governmental Affairs Committee last week.

The General Accounting Office told the committee that significant information security weaknesses exist at all of the 24 largest federal agencies— placing critical defense and financial operations at risk— and 17 of those agencies have deficiencies in their security planning and management. The most common weakness is poor control over who has access to sensitive data. Inadequate management and leadership from the Office of Management and Budget has exacerbated the computer security problem, said Gene L. Dodaro, GAO's assistant comptroller general.

GAO said external and internal auditors at the Social Security Administration and the Department of Veterans Affairs found security shortcomings that leave data vulnerable to hackers who could steal the information or manipulate it.

Both agencies defended their security practices but also admitted the audits uncovered security problems of which they were not aware. The audit of SSA revealed security breaches involving passwords, unprotected modems, lax implementation of audit trails and the vulnerability of the e-mail system, said Sen. Fred Thompson (R-Tenn.), the committee chairman.

John Dyer, principal deputy commissioner at SSA, said computer security is more difficult to tighten because SSA has recently moved from mainframes to a distributed computer environment and because the agency handles a huge volume of data. "I agree with the GAO that we need to do better," Dyer said. "The audit came up with things we were not aware of, and we're jumping on them."

Dyer said SSA agreed with nearly all the auditors' 43 recommendations on how the agency could better protect its data, and the agency has completed 30 of the suggestions. The actions taken include limitations on the use of modems, implementation of new password guidelines and greater access controls for programmers and other system users, Dyer said. The agency also has installed online an automated program designed to catch fraud by detecting unusual activity.

At the VA there has been a "major failure" in general computer security management planning, said Harold F. Gracey Jr., acting assistant secretary for information and technology in the VA. "We clearly have weaknesses," he told the committee.

Gracey said the VA intends to implement recommendations made by GAO, including improving control over access, protecting the systems from unauthorized access and implementing a department-wide computer security planning and management program.

Agencies' awareness of computer security problems has increased, but it has been too reactive, Dodaro said. "They have to take a comprehensive, proactive look at security, make it a top management priority and make it part of the fabric of [their operations]," he said.

Thompson demanded more leadership from OMB. "There's not one tangible thing that I can see that's been done...from a governmentwide standpoint to highlight this problem and to instruct people as to specific things that are expected out of them in these agencies," Thompson said.

The GAO reports based their conclusions on audits by independent companies and the inspector general's offices at SSA and the VA.

Two other limited distribution reports were issued with specific details about the vulnerabilities of government computer systems. These were sealed because of their sensitive nature and their potential to embarrass the agencies, said Bill Greenwalt, a member of the committee staff.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected