Network security problems at EPA "serious and pervasive"

The Environmental Protection Agency late Tuesday temporarily shut down all access to the Internet following revelations that the agency's information systems and policies suffered from fundamental security weaknesses.

The decision to temporarily terminate access to the agency's public and private systems came after a General Accounting Office audit team performing security testing at EPA reported to the House Commerce committee that they found "serious and pervasive problems that essentially render EPA's agencywide information security program ineffective."

The types of problems GAO found — including improperly configured firewalls, vulnerabilities that allowed GAO to take control of EPA's major systems, and a reliance on insecure password controls — are issues that every federal agency experiences, but not to this extent, said David McClure, associate director of governmentwide and defense information systems in GAO's Accounting and Information Management Division.

"The scope and the severity of the weaknesses at EPA were more extensive then we've seen," McClure said.

The EPA systems GAO penetrated hold sensitive and national security-related information. They include the National Computing Center's mainframe in Research Triangle Park, N.C., which is one of the systems the White House named in 1998 as critical to defending against cyberattacks.

"We knew their lack of security was bad. We didn't know how bad," committee spokesman Steve Schmidt said. "We felt we had no choice but to force EPA's hand if they did not shut down the site."

EPA maintained that the shutdown is only temporary.

"Our access to the Internet as well as public access has been temporarily suspended while [the National Technology Services Division] implements security measures," said Jerry Slaymaker, senior advisor to the EPA chief information officer. Slaymaker said the agency hopes to restore limited Internet access by Feb. 22.

The agency had to shut down the Internet site in addition to its internal network because "we have to go to the place where entrance is being gained or potentially can be gained through the Web site," Slaymaker said. There is no way to repair the front door without limiting all access, he said.

"Public access to information is a serious part of the agency's business," he said. "The only thing more important is security of the information."

Featured

  • Acquisition
    Shutterstock ID 169474442 By Maxx-Studio

    The growing importance of GWACs

    One of the government's most popular methods for buying emerging technologies and critical IT services faces significant challenges in an ever-changing marketplace

  • Workforce
    Shutterstock image 1658927440 By Deliris masks in office coronavirus covid19

    White House orders federal contractors vaccinated by Dec. 8

    New COVID-19 guidance directs federal contractors and subcontractors to make sure their employees are vaccinated — the latest in a series of new vaccine requirements the White House has been rolling out in recent weeks.

Stay Connected