FRAMINGHAM (08/11/2000) - A new report on the Environmental Protection Agency's (EPA) computer systems, prepared by the U.S. General Accounting Office (GAO) and released today by a Republican congressman, found security holes gaping enough to rival the one in the ozone layer.
The 44-page report cited "serious and pervasive problems that essentially rendered EPA's agencywide information security program ineffective." According to the GAO, operating systems and the agencywide network at the EPA "were riddled with security weaknesses," leading to "several serious computer security incidents since early 1998 that have resulted in damage and disruption to agency operations." The GAO, which began its audit last August at the request of Rep. Tom Bliley (R-Va.), concluded that the EPA couldn't ensure the protection of sensitive data on its larger systems and was "highly vulnerable to tampering, disruption and misuse from both internal and external sources." Many of the security flaws had been reported to EPA management in 1997 by its own inspector general but were never fixed, the GAO added.
The security shortcomings listed by the GAO included ineffective firewalls and other perimeter defenses aimed at preventing intrusions, inadequate password protections and weak controls over access to the EPA's network and systems. For example, the GAO said its investigators were able to guess or decrypt passwords and move unimpeded throughout the EPA's network.
Bliley, the chairman of the House Committee on Commerce, made the report public today and blasted the EPA for "gross mismanagement" that left sensitive systems and data at "serious risk." He also charged that the Clinton administration's "cyber-security policy amounts to little more than paper pushing." In a statement responding to the release of the report, the EPA said it takes data security "very seriously" and had already started implementing some improvements when it first learned of the GAO audit. The agency added that it temporarily shut down its Web site in February to accelerate the installation of beefed-up security measures, such as a new firewall and upgraded intrusion and virus detection capabilities.
Managers and employees at the EPA also have been asked "to take greater responsibility for following sound computer security practices," the agency said.
The GAO, which concluded its audit in February, acknowledged in the report that the EPA "has moved aggressively to reduce the exposure of its systems and data and to correct the weaknesses we identified." While the GAO hasn't been able to test any of the changes implemented by the EPA, the report said that the steps taken by the agency "demonstrate that it is moving in the right direction." However, Bliley isn't stopping with the EPA. Last month, he asked the GAO to do a similar security audit of the systems at the Commerce Department. Bliley also launched his own review of the Food and Drug Administration's information technology policies and practices.