Cyber Eye: Judiciary Committee is in a fine pickle
- By William Jackson
- Mar 30, 2004
If Congress received grades for its systems security the way executive branch agencies do, the Senate Judiciary Committee would get an F.
The Senate's sergeant at arms, William H. Pickle, recently headed an investigation of leaks of confidential Democratic staff memos last November. His report blamed the leaks on poor access control and security policy. Any user on the committee LAN was free to look at'and download'any of the files in unprotected accounts.
The report blamed the systems administrator's inexperience and lack of training and oversight. Hired straight out of college in July 2001, the administrator apparently worked without significant supervision until February 2003.
'I was not instructed to set such user permissions on each folder under the old system,' the administrator told investigators. 'This was an oversight in teaching me how to set up the accounts. My assumption was that these permissions were restricted by some other means.'
Staff members from both sides of the aisle apparently were unaware of the open accounts until a Republican clerk stumbled on them.
Investigators found a general lack of attention to security, citing problems with the committee's LAN administrators dating back at least five years.
'Like some other Senate offices, the Judiciary Committee has historically been staffed with administrators who preferred to perform most computer-related tasks themselves,' the report said.
Security auditing on the committee's LAN was so incomplete that forensics experts could get little usable information. Details of the leaks came from the confessions of a clerk who downloaded files.
Although the Senate's perimeter security apparently was adequate, internal protections were not:
- Symantec Corp.'s pcAnywhere remote-control software was running by default on committee computers.
- The committee LAN had poor physical access controls and no documented computer security rules.
- Computers were often left signed on to the network but unattended.
The legislative branch could benefit from a healthy dose of the kind of IT oversight Congress has been meting out to the executive branch for years now.
William Jackson is freelance writer and the author of the CyberEye blog.