| |
We are here today
to continue this Committee’s review of computer security -- or lack thereof as
the case may be -- at Federal agencies under our jurisdiction. Since 1998, this
Committee has reviewed computer security policies and practices at the
Environmental Protection Agency, the Department of Energy, the Health Care
Financing Administration, and today we will be focusing our attention on the
Department of Commerce. Without exception, we have found significant security
problems at each of these agencies, all of which either took -- or are taking --
prompt action to correct the deficiencies identified as a result of our
oversight. Unfortunately, it appears that information security rarely becomes a
priority within an agency until the white-hot lights of public and congressional
attention focus on that agency’s specific flaws.
Today we will
hear from information security experts at the General Accounting Office who, at
this Committee’s request, conducted an in-depth evaluation of the Department’s
management and implementation of computer security at seven of its operating
divisions, including the Bureau of Export Administration, the International
Trade Administration, the Economics and Statistics Administration, and the
Office of the Secretary.
GAO’s team of
ethical hackers identified and exploited vulnerabilities in the computer systems
of these divisions to gain virtually unlimited access to them internally, from
within the Department’s network, and externally, from the Internet. Not only
could these systems be accessed without authorization, but the information
contained in them could be read, modified, or deleted at will – even with
respect to the most sensitive systems and data files within these seven
divisions. And with such access also comes the power to completely disrupt
critical Department operations.
It is no secret
that, of the systems reviewed and found to be vulnerable by GAO, many contain
highly sensitive personal, financial, commercial, and national security-related
data, and are critical to the Department’s overall mission. Included in this
list are the export control licensing systems and the networks that are used by
the International Trade Administration for communications with our foreign
Commerce outposts around the world.
The state of the
Department’s security was truly deplorable. GAO found instances in which
systems did not require passwords, even for system administrator accounts. Other
systems had easily guessed passwords, such as "password." Certain
passwords and password files were either unencrypted or not otherwise protected,
permitting anyone on the network – authorized or unauthorized -- to read and
obtain even the most powerful account passwords. And six of the seven bureaus
did not even limit the number of times an individual could try to log on to the
system, allowing would-be hackers excessive opportunities to crack these poor
password controls.
GAO also found
that poor network security and configurations permitted GAO’s experts to
circumvent the limited security controls that were in place, and thus to travel
between and among the seven connected bureaus – essentially finding that the
lowest common denominator among these bureaus set the security standard for the
rest of them. Some of the bureaus did not even have firewalls in place to
protect all of their sensitive internal systems from the Internet -- or, if they
did, they were either so poorly implemented as to be largely ineffective, or
could be easily bypassed via alternative access routes. These failures place all
of the connected bureaus at significant risk of intrusions.
Equally
troubling, and despite advance notice of the GAO hacking attempts, the
Department’s monitoring of cyber intrusions failed to detect the overwhelming
majority of GAO’s intrusion and scanning efforts, including the successful
ones. In fact, GAO reports that its hackers gained access to one system, only to
find that a Russian hacker had been there before them, without the Department’s
apparent knowledge. And only two of the bureaus reviewed by GAO had formal
intrusion detection systems in place. In short, the Department simply has no
idea of whether its sensitive systems are being or have been compromised --- a
totally unacceptable situation.
The reason for
these failures, according to GAO, is the lack of an effective security
management program at the Department. Basic and longstanding Federal security
requirements have essentially been ignored for years. Only three of the 94
sensitive systems reviewed by GAO had documented risk assessments, and only
seven had current security plans, none of which had been approved yet by
management. The Department’s computer security policies have not been updated
since 1995, despite the tremendous growth of the Internet and the increased
inter-connectivity between Commerce bureaus and the outside world. And there are
virtually no minimum security requirements for all Commerce computer systems –
even, for example, on basic issues such as password lengths or characteristics.
In addition to
GAO, we will hear today from the Department’s Inspector General, which also
has done work in this area. A recent IG report essentially confirmed that the
lack of effective security management found by GAO, with respect to seven of the
Department’s operating divisions, was not unusual. Across the Department,
adequate risk assessments and security plans are the exception rather than the
norm, with roughly 92% of the Department’s systems failing to comply with at
least one of these Federal security requirements.
The IG’s
financial control audits, which, beginning this year, contained a limited
penetration test of computer security controls, also confirm that access control
problems similar to those identified at the seven bureaus reviewed by GAO exist
at many other Commerce bureaus as well, including the Census Bureau, NOAA, NIST,
and others, posing threats from both internal and external sources.
How could this
situation exist, and for so long? The short answer is that, until this Committee
started asking questions early last year, no one at the Department was even
seriously looking at these issues. Despite Federal requirements for independent
reviews of security controls on major systems on a routine basis, GAO found that
neither the Department’s chief information officer, nor six of the seven
bureaus reviewed, had conducted any such audits or oversight.
Unfortunately,
this situation is not at all unusual. Our cyber security reviews have
consistently shown that this lack of real-world testing of the effectiveness of
security controls is one of the major problems facing not just the Commerce
Department, but the Federal government as a whole.
This lack of
attention to cyber security is reflected by the lack of resources devoted to
this purpose. At Commerce, for example, the Department’s Office of Information
Technology Security -- which is responsible for setting the Department’s
computer security policies and conducting oversight to ensure compliance by the
various bureaus -- was a one-person operation up until March 2000, when the
director of this office was given two interns to assist with these important
functions. I am pleased to hear that Secretary Evans recently approved a
re-direction of additional personnel and funding for this office, which in
addition to computer security is also responsible for the Department’s overall
critical infrastructure protection efforts.
It certainly is
time – indeed, it is well past time – for the Commerce Department to start
taking the security of its data systems seriously, much more so than it was
under the previous Administration. In the 21st century, effective computer
security is as much a part and cost of doing business as having locks on the
front door was during previous centuries. And we will continue our oversight in
this area until Commerce and the other Federal agencies under our jurisdiction
get this message loud and clear.
I want to welcome and thank our
witnesses for testifying today on this important topic, and will now recognize
the Ranking Member for an opening statement.
|
|
