Network security problems at EPA "serious and pervasive"
- By Diane Frank, Paula Shaki Trimble
- Feb 17, 2000
The Environmental Protection Agency late Tuesday temporarily shut down all access to the Internet following revelations that the agency's information systems and policies suffered from fundamental security weaknesses.
The decision to temporarily terminate access to the agency's public and private systems came after a General Accounting Office audit team performing security testing at EPA reported to the House Commerce committee that they found "serious and pervasive problems that essentially render EPA's agencywide information security program ineffective."
The types of problems GAO found — including improperly configured firewalls, vulnerabilities that allowed GAO to take control of EPA's major systems, and a reliance on insecure password controls — are issues that every federal agency experiences, but not to this extent, said David McClure, associate director of governmentwide and defense information systems in GAO's Accounting and Information Management Division.
"The scope and the severity of the weaknesses at EPA were more extensive then we've seen," McClure said.
The EPA systems GAO penetrated hold sensitive and national security-related information. They include the National Computing Center's mainframe in Research Triangle Park, N.C., which is one of the systems the White House named in 1998 as critical to defending against cyberattacks.
"We knew their lack of security was bad. We didn't know how bad," committee spokesman Steve Schmidt said. "We felt we had no choice but to force EPA's hand if they did not shut down the site."
EPA maintained that the shutdown is only temporary.
"Our access to the Internet as well as public access has been temporarily suspended while [the National Technology Services Division] implements security measures," said Jerry Slaymaker, senior advisor to the EPA chief information officer. Slaymaker said the agency hopes to restore limited Internet access by Feb. 22.
The agency had to shut down the Internet site in addition to its internal network because "we have to go to the place where entrance is being gained or potentially can be gained through the Web site," Slaymaker said. There is no way to repair the front door without limiting all access, he said.
"Public access to information is a serious part of the agency's business," he said. "The only thing more important is security of the information."