Government-paid hackers working for a federal watchdog agency have been running amok through U.S. Department of Commerce information systems, avoiding detection in all but a few cases. And when the hacks were detected, Commerce Department IT workers employed a quid pro quo response by returning the scans and even launching their own attacks against the watchdog agency.
That information came to light at a sparsely attended congressional hearing today. The U.S. General Accounting Office, at the behest of the Subcommittee on Oversight and Investigations, has been systematically reviewing federal information security practices and finding that security is dismal at yet another federal agency.
The problem would laughable -- and at times it was during the hearing -- if the stakes weren't so high. Rep. W.J. "Billy" Tauzin (R-La.), chairman of the House Committee on Energy and Commerce, was seemingly flabbergasted by a GAO official's assertion that only four of its more than 1,000 system scans were detected.
Doing some quick math, Tauzin said that means "99.6 percent of the intrusions were not detected ... that's purer then Ivory soap. That's a huge number."
The GAO said in a report that it was able to penetrate systems from inside and outside the target agency "using readily available software and common techniques."
The Commerce Department offers many targets of opportunity for hackers; its IT systems are vast and cost $1.5 billion last year to operate. It has 14 data centers to handle functions such as the census, export administration, economics and statistics reporting. One bureau has as many as 155 LANs and 3,000 users spread out across 50 states and 80 countries.
Much of the information in the department's systems is sensitive. For instance, businesses that need export licenses have to provide the department with propriety information to get those licenses. "That is information you surely don't want your competitors to have," Johnnie E. Frazier, the department's inspector general, said at the hearing.
Samuel Bodman, who has been deputy secretary of the Commerce Department for only six days, was sent to testify. He offered no excuses at the hearing, and said he was "embarrassed to be here."
Although the Commerce Department may need to make some technology upgrades to improve security, the underlying problem identified by the GAO was a lack of centralized security management.
Bodman said officials have already begun to address the issue with an order by Commerce Secretary Don Evans directing all agency heads to make IT security a priority, as well as a restructuring plan with gives authority to departmental CIOs to begin addressing the problem. The department has also created a task force to study the issue, he said.