EPA's Web security still vulnerable to hackers
Despite efforts to shore up computer security, the Environmental Protection Agency is still an open target for hackers, according to congressional investigators.
A report released today by the General Accounting Office, the investigative arm of Congress, found that the agency's system continues to be "riddled with security weaknesses" that could allow hackers to tamper with data, view sensitive information or attack other agencies using the EPA system.
In the report, investigators said the EPA failed to notice government security experts rummaging through its computers. During their tests, investigators were able to guess passwords, hack into the computer network, watch unsuspecting people type their passwords, and move throughout the network unimpeded.
In response to the report, the EPA said in a statement that it "will continue its efforts into the future to improve computer security, to take into account emerging technologies."
"The administration is fully committed to the public's right-to-know, has consistently expanded and defended that right," the EPA's statement said. "Computer issues should not be used in an effort to restrict vital information."
The GAO investigated the agency at the request of House Commerce Committee Chairman Tom Bliley, R-Va., who in August 1999 asked for an audit of the EPA's system for his review of the computer security policies and programs of some federal agencies under the committee's jurisdiction.
Investigators found widespread flaws that rendered the EPA's information security program ineffective, according to the report.
"The GAO report, coupled with the committee's other recent oversight in this area, shows that despite the tough rhetoric, the Clinton-Gore administration's cybersecurity policy amounts to little more than paper pushing," Bliley said in a statement.
After a preliminary review last February found "serious and pervasive problems" in the EPA's security system, Bliley said he asked the agency to take down its computer systems and overhaul its network security. The EPA complied by shuttering its Internet link temporarily to make repairs, according to the GAO report.
Since the system was restored, the agency has been beefing up its computer security measures. Investigators, however, say there is still work to be done.
"It is unfortunate that years of gross mismanagement at the agency have left these sensitive systems and data at such serious risk for so long," Bliley said in a statement. "But it is even more unfortunate that it took this committee's oversight and public pressure to motivate the agency to undertake responsible steps to ensure its computer systems provide adequate protection for sensitive agency data."
In the report, investigators also expressed concern regarding weaknesses found during their current assessment that had been detailed for the agency in 1997 in a report from the EPA's own inspector general.
The GAO performed its audit at the EPA's headquarters and the National Computer Center from September 1999 through February 2000.
In late July, Bliley asked the GAO for a similar audit of the Commerce Department's cybersecurity program. He also recently launched a review of the Food and Drug Administration's information management policies and practices, requesting records detailing the agency's computer security practices and any hacker attacks against it.