GAO blasts Corps of Engineers' security weakness

GAO blasts Corps of Engineers' security weakness

Army agency counters that audit team failed to give corps credit for fixes it had already made

By Dennis M. Blank

Special to GCN

Citing computer control flaws at the Army Corps of Engineers' data centers, the General Accounting Office says the corps has left an electronic door open to hackers as well as legitimate users.

'Weaknesses could result in a disruption of critical computer-based operations,' noted Lisa G. Jacobson, GAO director of financial management and assurance, in the cover letter to the report. 'These weaknesses also increase the vulnerability of other Defense [Department] networks and systems with which the corps network is linked.'

The GAO audit team specifically looked into the security of the corps' financial management system, but it said its findings reflect poorly on the agency's computer security generally.

'It's not a total breakdown,' said Cleggett S. Funkhouser, GAO's assistant director of financial management and assurance.

But improvements can be made, he said, adding: 'Some of the areas are small, some a little bigger. Taken all together, we can't say whether the information in the system is accurate or inaccurate.'

Funkhouser said that although the corps disagreed strongly with many of GAO's findings, its officials were receptive to improving their systems security practices.

Corps officials criticized GAO's report, Financial Management: Significant Weaknesses in Corps of Engineers' Computer Controls, saying the auditors failed to note corrective action the agency has taken.

'We have already corrected some issues, and we are moving forward to correct many others in a timely manner,' said Maj. Gen. Milton Hunter, deputy chief of engineers. 'We do not believe we have 'pervasive weaknesses' as stated throughout the report.'

Hunter also said the corps plans to increase use of electronic signatures for security. 'This is a costly control so it must be judiciously applied where it is cost-effective,' he said.

Beg to differ

GAO said the corps disagreed with 13 of its 93 recommendations and with the overall assessment that the agency had sweeping computer security problems. Nevertheless, GAO said, implementing its recommendations would improve data protection at the corps.

'The widespread nature of the weaknesses we identified along with the corps' lack of an overall security management plan clearly reflects the existence of pervasive weaknesses in the security infrastructure,' the report concluded.

The congressional watchdog agency conducted general and application security tests over a four-month period beginning in September of last year. PricewaterhouseCoopers LLP of New York helped with the tests.

The audit team found that the corps did not adequately control remote access to its processing centers, protect network devices or limit user access privileges. GAO also cited problems in the agency's monitoring of access to its databases and poor use of database features designed to detect security violations. GAO also said the corps had faulty password controls for its network control devices.

'A large number of users were erroneously granted access to powerful privileges and had the capability to perform database functions that they were not authorized to perform,' GAO's Jacobson said. This open-ended access increased the risk that financial system data could be easily altered, he said.

During its investigation, GAO found that financial data as well as sensitive reports were accessible over the Internet and that servers allowed unauthenticated connections, raising the risk that a hacker could use the corps' systems to gain access to other Defense networks.

Despite GAO's censure, the corps' Hunter said that 'external audit reports issued concerning our financial transactions have not identified any corrupted financial data.'

Free-lance writer Megan Lisagor contributed to this report.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.