Commerce rapped on infosec lapses

Lawmakers took the Commerce Department to task at an Aug. 3 hearing after auditors testified they found numerous information security lapses on agency systems.

During an investigation into security practices at seven Commerce organizations, "hackers" from the General Accounting Office were able to gain unauthorized access to systems and read, modify and delete sensitive economic, personnel and business data.

Among the data at risk is information related to national security, missile technology and biological warfare residing on systems at the Bureau of Export Administration.

Intruders could disrupt mission-critical systems without being detected, said Robert Dacey, director of information security issues at GAO, in testimony before the House Energy and Commerce Committee's Subcommittee on Oversight and Investigations.

In one case, GAO investigators gained access to a system only to find that a Russian hacker had been there already, without the knowledge of Commerce managers.

"In short, the department simply has no idea whether its sensitive systems are being or have been compromised — a totally unacceptable situation," said subcommittee chairman Rep. James Greenwood.

GAO also found that many systems could be accessed without passwords or were unprotected and that a user on one bureau's network could change the configuration of other bureaus' network controls via the Internet, Dacey said.

Commerce Inspector General Johnnie Frazier said internal audits found similar security holes, but better cooperation should help plug them. Last month, the IG's office signed a memorandum of agreement with the Office of the Chief Information Officer and the Office of Security to share responsibility on Commerce's information technology security issues.

Samuel Bodman, deputy secretary at Commerce, said the problem is more a matter of "management and priorities" and is being addressed. Already, the secretary has given the department CIO authority to guide bureau security plans, he said.

Featured

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected