GAO audit pokes holes in Commerce's security

GAO audit pokes holes in Commerce's security

Rep. W.J. 'Billy' Tauzin says Commerce's security woes open doors wider for hackers.

Computer networks throughout the Commerce Department are rife with 'significant and pervasive weaknesses,' the General Accounting Office's director of information security told a House subcommittee this month.

GAO's Robert F. Dacey discussed the findings of an extensive network security audit at Commerce before the Energy and Commerce Subcommittee on Oversight and Investigation.

As part of the audit, GAO assigned a team of what it called 'ethical hackers' to infiltrate secure sites at seven Commerce agencies, including the Bureau of Export Administration, the International Trade Administration and the Office of the Secretary.

Dacey said the hackers penetrated the department's systems, both from inside the Commerce network and from the Internet, using ordinary software, and exposed sensitive information. GAO's information security issues director also noted that, in most cases, Commerce was unaware that its systems had been breached.

The subcommittee's chairman, Rep. James Greenwood (R-Pa.), called the Commerce security program 'truly deplorable.'

Snooze control

Rep. W.J. 'Billy' Tauzin (R-La.), chairman of the Energy and Commerce Committee, said: 'If government hackers can get in, I guarantee you, kids in Russia or Cal Tech, or whatever, can do it. Somebody was asleep at the computer switch.'

GAO found that, among the bureaus it investigated, many systems did not require passwords to gain access to sensitive information. Many that did require passwords were protected by words that were easy to guess, such as the word 'password,' or widely known default codes supplied by vendors. Many network passwords never expired, and potential intruders were permitted unlimited attempts at access.

Dacey pointed to Commerce's security management structure as a reason for the department's troubles. 'Lack of a centralized approach to managing security is particularly risky considering the widespread interconnectivity of Commerce's systems,' he said.

Commerce inspector general Johnnie E. Frazier said the department is aware of its troubles and, over the past year, has conducted its own information technology audits aimed at tightening network security. He said the department will conduct semiannual reviews to evaluate IT security.

The IG's testimony detailed several specific security incidents at Commerce.

In one, a hacker from a foreign country infiltrated a Commerce network server and installed software that, if activated, would have disabled the server while overloading a designated Internet site. In another incident a hacker destroyed software and inflicted extensive damage on a Commerce server. In a third incident, a cleaning staff member gained access to an improperly secured computer to view pornography on the Internet.

An insecure feeling

Deputy Commerce secretary Samuel Bodman had been on the job six days when he testified at the Aug. 3 hearing. He assured the subcommittee that Commerce's security troubles were a top priority.

Tauzin also expressed concern that some bureaus within Commerce used cookies to gather information from visitors to their Web sites. He called government use of cookies 'abominable.'

inside gcn

  • When cybersecurity capabilities are paid for, but untapped

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above