GAO audit pokes holes in Commerce's security

GAO audit pokes holes in Commerce's security

Rep. W.J. 'Billy' Tauzin says Commerce's security woes open doors wider for hackers.

Computer networks throughout the Commerce Department are rife with 'significant and pervasive weaknesses,' the General Accounting Office's director of information security told a House subcommittee this month.

GAO's Robert F. Dacey discussed the findings of an extensive network security audit at Commerce before the Energy and Commerce Subcommittee on Oversight and Investigation.

As part of the audit, GAO assigned a team of what it called 'ethical hackers' to infiltrate secure sites at seven Commerce agencies, including the Bureau of Export Administration, the International Trade Administration and the Office of the Secretary.

Dacey said the hackers penetrated the department's systems, both from inside the Commerce network and from the Internet, using ordinary software, and exposed sensitive information. GAO's information security issues director also noted that, in most cases, Commerce was unaware that its systems had been breached.

The subcommittee's chairman, Rep. James Greenwood (R-Pa.), called the Commerce security program 'truly deplorable.'

Snooze control

Rep. W.J. 'Billy' Tauzin (R-La.), chairman of the Energy and Commerce Committee, said: 'If government hackers can get in, I guarantee you, kids in Russia or Cal Tech, or whatever, can do it. Somebody was asleep at the computer switch.'

GAO found that, among the bureaus it investigated, many systems did not require passwords to gain access to sensitive information. Many that did require passwords were protected by words that were easy to guess, such as the word 'password,' or widely known default codes supplied by vendors. Many network passwords never expired, and potential intruders were permitted unlimited attempts at access.

Dacey pointed to Commerce's security management structure as a reason for the department's troubles. 'Lack of a centralized approach to managing security is particularly risky considering the widespread interconnectivity of Commerce's systems,' he said.

Commerce inspector general Johnnie E. Frazier said the department is aware of its troubles and, over the past year, has conducted its own information technology audits aimed at tightening network security. He said the department will conduct semiannual reviews to evaluate IT security.

The IG's testimony detailed several specific security incidents at Commerce.

In one, a hacker from a foreign country infiltrated a Commerce network server and installed software that, if activated, would have disabled the server while overloading a designated Internet site. In another incident a hacker destroyed software and inflicted extensive damage on a Commerce server. In a third incident, a cleaning staff member gained access to an improperly secured computer to view pornography on the Internet.

An insecure feeling

Deputy Commerce secretary Samuel Bodman had been on the job six days when he testified at the Aug. 3 hearing. He assured the subcommittee that Commerce's security troubles were a top priority.

Tauzin also expressed concern that some bureaus within Commerce used cookies to gather information from visitors to their Web sites. He called government use of cookies 'abominable.'


  • 2020 Government Innovation Awards
    Government Innovation Awards -

    21 Public Sector Innovation award winners

    These projects at the federal, state and local levels show just how transformative government IT can be.

  • Federal 100 Awards
    cheering federal workers

    Nominations for the 2021 Fed 100 are now being accepted

    The deadline for submissions is Dec. 31.

Stay Connected