How can the Environmental Protection Agency take care of the planet when it can’t even protect its own computer network?
That’s the question raised by a General Accounting Office report released Friday that concluded that the EPA’s information security measures are “ineffective” and “riddled with security weaknesses.”
The report commissioned by the House Commerce Committee said that sensitive information on the agency’s networks is vulnerable to hackers.
That information included data on “human health and environmental risks, financial and contract data, and personal information on its employees,” the report said.
In addition, the report noted that the EPA’s information systems have been attacked continuously since early 1998, and that in some cases the agency’s poor “detection and handling capabilities” prevented it from assessing the damage of such attacks.
In September 1999, for example, an individual who had been previously affiliated with the EPA gained access to its systems and blocked authorized EPA employees from accessing files. The report said that the incident had occurred simply because the EPA had a weak process for “applying changes in personnel status to computer accounts.”
That is, it didn’t update its records.
Other incidents included a denial-of-service attack and several “penetrations” into the agency’s systems, one of which resulted in hackers setting up a “chat room” on EPA’s servers.
At least one of these attacks occurred because the EPA had not installed security-boosting software patches on its system. Some of those patches, the report stated, had been available since 1996.
“It is unfortunate that years of gross mismanagement at the agency have left these sensitive systems and data at such serious risk for so long,” House Commerce Chairman Tom Bliley (R-Virginia) said in a statement.
Bliley blamed the security weaknesses squarely on the White House.
“Rather than being a model for the private sector to follow — as the president has claimed he wants it to be — the federal government appears instead to be a model of what not to do when it comes to managing information security,” Bliley said.
In a statement, the EPA said that it takes information security seriously, and that it has already instituted policies to bolster its network.
The House Commerce Committee said that information-security problems in the federal government are not limited to the EPA.
“Mr. Bliley has asked that the GAO do a similar report of the Commerce Department,” said Peter Scheffield, a spokesman for the committee.
An informal investigation by the GOA revealed “significant security problems with the Commerce Department’s systems. We’re talking about several critical systems within the Department of Commerce,” Scheffield added.
Jean Boltz, a spokeswoman for the GOA, said that the agency has documented information security problems at a number of federal agencies.
“The entire computing environment has been changing over the past few years,” and federal agencies have been slow to adapt to such changes, she said.
