Lax security left Senate files wide open

GOP staff members of the Senate Judiciary Committee had free access to sensitive Democratic computer files because of what investigators termed a 'significant lack of security' on the committee's network.

A report by the Senate sergeant at arms has blamed the poor controls on the IT administrator's inexperience and lack of training.

'Forensic analysis indicated that a majority of the files and folders on the server were accessible to all users on the network,' said the report, released yesterday. 'Any user on the network could read, create, modify or delete any of the files or folders.'

The report made recommendations for improving the committee's computer security, including setting minimal technical skill standards for administrators.

The problems came to light in a three-month investigation by Sergeant at Arms William H. Pickle about leaks of Democratic memos to the press late last year. The apparent intent was to embarrass Democrats by revealing political strategies in opposing conservative judicial nominations. But the investigation exposed partisan spying by several GOP staff members.

In what was described as an unprecedented investigation, the sergeant at arms hired an outside computer forensics firm to help in the investigation.

Republican and Democratic committee staffs share a single LAN, which until recently had a single administrator. Investigators found that user accounts established before August 2001 were generally created with strict access controls. Those established after that date, when a new administrator was hired, were open.

According to Pickle's report, a committee clerk discovered he could access Democratic files in the fall of 2001 while he watched the systems administrator working. Improper access apparently continued until last spring, when the network hardware and software were upgraded. Although many accounts remained open, the directories no longer were visible to most users. A new administrator was hired last July.

Most of the investigation's results came from interviews with staff members. Security practices were so inadequate that forensics specialists said they could learn little.

'While there was extensive forensic analysis of servers and individual workstations, the results were limited due to the absence of proactive security auditing,' the report said.

No record was kept of changes in access controls, and it was not possible to tell who was accessing what files.

The sergeant at arms concluded that the lapses were not the result of malicious behavior by the administrator, who was hired just out of college, but rather of lack of experience, training and oversight.

The problems found in the investigation were not limited to that period, or to the Judiciary Committee.

'Like some other Senate offices, the Judiciary Committee has historically been staffed with systems administrators who preferred to perform most computer-related tasks themselves,' the report said. 'This has been true even if they had only minimal technical experience.'

Since the leak was discovered, the committee's Republican and Democratic staffs have been put on separate LANs with separate administrators. Chairman Orrin Hatch (R-Utah) and ranking Democrat Patrick Leahy of Vermont requested a network security audit by the General Services Administration in February.

Although the report identified several possible ethics and criminal violations, it made no recommendation for legal action. It did, however, recommend these actions to improve IT security throughout the Senate:

  • Establish technical skills assessment, certification and continuing education requirements for system administrators

  • Set minimum qualifications for administrators

  • Create a best-practices manual for computer security

  • Require ethics and computer security training for all new employees.


  • About the Author

    William Jackson is a Maryland-based freelance writer.

    inside gcn

    • When cybersecurity capabilities are paid for, but untapped

    Reader Comments

    Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

    Please type the letters/numbers you see above

    More from 1105 Public Sector Media Group