FirstGov portal lacks adequate defenses, GAO says
FirstGov portal lacks adequate defenses, GAO says
GSA and OMB officials contend that new site and its search engine are secure against attack
By Fred Donovan
Special to GCN
The government's brand-new FirstGov portal is vulnerable to hackers, cyberterrorists and others with malicious intent, the General Accounting Office has concluded.
The portal, which went online last month at www.firstgov.gov
, has no comprehensive security plan, David L. McClure, GAO's director for information technology management issues, warned a House panel during a hearing this month.
'This offers potential attackers with little technical skills and knowledge the opportunity to cause a great deal of damage, and accentuates the need for careful and coordinated security planning,' he said.
The site's developer and other government officials disagreed with GAO's assessment.
McClure told the House Government Reform Subcommittee on Government Management, Information and Technology that the contractors and subcontractors who put the FirstGov gateway together haven't coordinated security measures, which makes the portal vulnerable.
The FirstGov portal gives users access to publicly available federal government information online from one source [GCN, Oct. 2, Page 3
The FirstGov Board of Directors has not set up periodic security reviews and no independent tests of the portal's access controls have been conducted, McClure said.
'It is critical that these and other elements of a complete security program be put into place to meet governmentwide requirements and to ensure that security is consistently maintained throughout the life of this important and highly visible project,' he said.
The GAO official warned that access to vast government resources through one portal increases the risk of searches by individuals seeking to damage government Web sites.
The search engine for the FirstGov Web site
has been provided by a private-sector foundation'the Federal Search Foundation'as a gift, McClure said. That raises concerns about 'whether the government is in full control of how data from its Web site are collected and used,' he added.
In addition, questions have been raised about how the government will interact with FirstGov's private-sector partners, who provide links to FirstGov from their Web sites.
There are concerns that the partners would have special access to government information or could receive other exclusive benefits, he said. The board should develop more complete definitions and descriptions of the relationships with the partners, he added.
In addition, the FirstGov Web portal does not include the latest search engine technology, McClure said.
He pointed out that commercial portals let users conduct customized searches. He urged the FirstGov board to continue developing and employing the latest technologies.
The security of the FirstGov portal is excellent, GSA Administrator David Barram said.
David Barram, administrator of the General Services Administration, defended his agency's handling of the FirstGov project, and said the portal will contribute to a government that 'works better and costs less.' The security of the FirstGov site is excellent, he said.
Barram bluntly told the panel that people who are concerned about the Federal Search Foundation's role in developing FirstGov should 'get over it.' He also defended the Inktomi Corp. technology used in the search engine, saying it was the most up-to-date available.
GSA took precautions to ensure that the private-sector partners complied with its principles on privacy and access, Barram said, adding that 178 companies and nonprofit organizations have become FirstGov partners.
Eric Brewer, chairman of the Federal Search Foundation and founder of Inktomi of Foster City, Calif., told the subcommittee that he set up the foundation specifically to establish the FirstGov portal. He said the foundation has received funds from the private sector, including contributions from Sun Microsystems Inc. and Inktomi.
The foundation will turn over its services and database to the government over a period of two to three years and will cease to exist after that, Brewer said.
He said McLure's gift comment was overstating the influence the foundation has over the portal. Inktomi wouldn't have an advantage in getting the longer-term contract to provide the search engine technology, he said.
Sally Katzen, deputy director for management at the Office of Management and Budget, also defended the Clinton administration's handling of the FirstGov site's security and privacy. Privacy OK
The portal complies with OMB's privacy policies for federal Web sites, which require the posting of privacy policies and prohibit the tracking of user behavior across government Web sites over time, she said.
Katzen acknowledged that the search engine and online indexes of the FirstGov portal need work. She said the search engine eventually will 'learn which pages are the most useful' to users and indexes will grow to include the most popular government Web sites.