GAO: Public info open to hackers

Hackers can gain access to sensitive medical and financial information on nearly every American because of widespread security weaknesses in agency computer systems, officials told the Senate Governmental Affairs Committee last week.

The General Accounting Office told the committee that significant information security weaknesses exist at all of the 24 largest federal agencies— placing critical defense and financial operations at risk— and 17 of those agencies have deficiencies in their security planning and management. The most common weakness is poor control over who has access to sensitive data. Inadequate management and leadership from the Office of Management and Budget has exacerbated the computer security problem, said Gene L. Dodaro, GAO's assistant comptroller general.

GAO said external and internal auditors at the Social Security Administration and the Department of Veterans Affairs found security shortcomings that leave data vulnerable to hackers who could steal the information or manipulate it.

Both agencies defended their security practices but also admitted the audits uncovered security problems of which they were not aware. The audit of SSA revealed security breaches involving passwords, unprotected modems, lax implementation of audit trails and the vulnerability of the e-mail system, said Sen. Fred Thompson (R-Tenn.), the committee chairman.

John Dyer, principal deputy commissioner at SSA, said computer security is more difficult to tighten because SSA has recently moved from mainframes to a distributed computer environment and because the agency handles a huge volume of data. "I agree with the GAO that we need to do better," Dyer said. "The audit came up with things we were not aware of, and we're jumping on them."

Dyer said SSA agreed with nearly all the auditors' 43 recommendations on how the agency could better protect its data, and the agency has completed 30 of the suggestions. The actions taken include limitations on the use of modems, implementation of new password guidelines and greater access controls for programmers and other system users, Dyer said. The agency also has installed online an automated program designed to catch fraud by detecting unusual activity.

At the VA there has been a "major failure" in general computer security management planning, said Harold F. Gracey Jr., acting assistant secretary for information and technology in the VA. "We clearly have weaknesses," he told the committee.

Gracey said the VA intends to implement recommendations made by GAO, including improving control over access, protecting the systems from unauthorized access and implementing a department-wide computer security planning and management program.

Agencies' awareness of computer security problems has increased, but it has been too reactive, Dodaro said. "They have to take a comprehensive, proactive look at security, make it a top management priority and make it part of the fabric of [their operations]," he said.

Thompson demanded more leadership from OMB. "There's not one tangible thing that I can see that's been done...from a governmentwide standpoint to highlight this problem and to instruct people as to specific things that are expected out of them in these agencies," Thompson said.

The GAO reports based their conclusions on audits by independent companies and the inspector general's offices at SSA and the VA.

Two other limited distribution reports were issued with specific details about the vulnerabilities of government computer systems. These were sealed because of their sensitive nature and their potential to embarrass the agencies, said Bill Greenwalt, a member of the committee staff.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.