FEATURES & COMMENTARY
Washington, D.C. — Nine months after President Clinton called on the federal government to improve its computer security, a new study has found that weaknesses remain pervasive, exposing government data to theft and destruction.
The study by the General Accounting Office, the investigative arm of Congress, found widespread deficiencies in computer security at agencies ranging from the Department of Interior to the Treasury Department.
In one instance, the report said, GAO staffers were able to gain access to Defense Department workers’ Social Security numbers, address and pay information through a file that was publicly available over the Internet. In another, a worker at the Social Security Administration pleaded guilty last year to illegally accessing government computers for months to obtain earnings information about local businesses.
The report, which focused primarily on financial computer security at 24 federal agencies, is the latest evidence that a massive, decade-long effort to bring the government’s computers up to private-industry standards remains woefully behind. The lack of progress in improving computer security, said the GAO, has exposed government Web sites to attack by hackers and has even left taxpayer financial data “at serious risk of unauthorized disclosure.”
“The federal government, outside the defense area, is worse than the private industry because good computer security is about regular maintenance and housekeeping–and that’s not one of the government’s strong points,” said Stewart Baker, a Washington technology lawyer who has advised the government on computer security issues. “Computer security doesn’t obviously improve the delivery of services . . . so there’s a natural inclination not to do anything to improve” security.
Release of the GAO report comes as government computer security faces new scrutiny from lawmakers amid a recent wave of hacker attacks on government Web sites, including an attack last week on NASA’s Web site by a hacker protesting the recording industry’s litigation against Napster, the controversial music file-sharing system.
The House subcommittee on government management, information, and technology has invited government computer managers and industry experts from companies such as Microsoft Corp., to hearings today and Tuesday to discuss how to improve government computer security.
The government faces a daunting task. The federal Paperwork Elimination Act as well as a recently approved measure to authorize the use of electronic signatures in business transactions has put pressure on federal officials to provide more information in electronic form over the Internet. Yet hackers, thieves and even foreign intelligence operatives are increasingly using the insecure computer network to access financial accounts and personal information, deface Web sites and spread crippling software viruses to computers around the world.
Even so, committee aides said they have uncovered evidence that some agencies have failed to take even rudimentary steps to increase security such as encrypting password files and limiting physical access to sensitive computers.
The GAO report, for example, found that, in some cases, independent contractors and former government employees retained access to agency computers long after they had ceased working for the government. At one agency, 7,500 of 30,000 users were not deleted after 160 days of inactivity.
“The underlying problem is poor security program management and poor administration of available control techniques,” the GAO concluded in its 31-page report.
It wasn’t until last year, during the massive effort to combat year 2000 computer glitches, that many agencies such as the Federal Communications Commission began taking close inventory of their computer hardware and software and tightening security to foil potential breaches. But since then, government officials and outside experts both said efforts have been relaxed.
“Testing has dropped off” since Y2K, Baker said. But “security needs to be just as high a priority. We need to have government teams trying to actively check security” daily, he said.
Government computer managers acknowledge there is room for improvement. However, they said it is difficult to hire and retain computer-security experts in a tight job market. They also said Congress has offered no financial assistance to agencies to help improve computer security since Clinton issued a National Plan for Information System Protection on Jan. 7.
That plan proposed that Congress increase federal spending for computer security and research by $280 million to $2.3 billion in 2001. The money also would help create a corps of computer-security experts by offering college scholarships to train talent.
“We do have severe challenges,” said Ed Roback, acting chief of the computer security division of the National Institute of Standards and Technology. Roback said break-ins to federal computers have increased and that he expects the attacks to get more elaborate and severe.
“I’d agree that the situation has gotten worse – there’s a lot of demand for people who are knowledgeable in the computer-security field,” said Ronald S. Stone, who oversees computer operations at the FCC.
“But it’s also fair to say there’s been a little bit of disappointment with Congress. . . . If there had been a similar response to computer security as there was to the Y2K problem, we wouldn’t have such” a poor security record, Stone added.
In July, Rep. Thomas M. Davis introduced a bill that would establish a top federal government-wide computer manager and give the manager $5 million annually to “assert leadership, direction and oversight of federal agency management of information resources.” In addition, agency computer-security practices would be subject to independent yearly review.
Rep. Jim Turner introduced a similar measure in June. Both measures are pending before the House subcommittee on government management, information, and technology.