Report: Govt. Computer Security Still Lax

Lax computer security poses a growing threat to a wide range of critical U.S. government operations and property, congressional investigators reported Monday.

Security lapses at all 24 federal agencies reviewed "place a broad array of federal operations and assets at risk of fraud, misuse and disruption," said the General Accounting Office (GAO), the non-partisan investigative arm of Congress.

Government officials are increasingly concerned about potential cyber attacks motivated by everything from juvenile mischief to intelligence gathering, crime and sabotage, the survey said.

As authorities rely more and more on networked computers, "there is a greater likelihood that information attacks will threaten vital national interests," GAO added.

Each of the 24 audited agencies were faulted for "serious weaknesses" in controls on access to their systems, up from 23 in September 1998, when the last such GAO audit was released.

Data gathered in the past year show that federal computer security is "fraught with weaknesses and that, as a result, critical operations and assets continue to be at risk," it said.

"Overall, GAO and inspector general reviews done over the past year continue to show that federal agencies have serious and widespread security weaknesses," the GAO's Joel Willemssen said at a congressional hearing Monday. "Weak controls over access to sensitive data and systems make it possible for a person to inappropriately modify, destroy or disclose data or computer programs."

The report said accounts often remained open even after employees or contractors wound up their employment.

Likewise, access was not promptly cut off nor curtailed to reflect changes in responsibilities. And managers were routinely giving "overly broad access privileges to very large groups of users" rather than doling access out to those with a specific need to know, the study found.

At one unnamed agency, all 1,100 users had been granted access to sensitive system directories and settings, said the survey requested by Rep. Stephen Horn, the California Republican who chairs the subcommittee on government management, information and technology.

The use of "default," easily guessed and unencrypted passwords, significantly increased the risk of unauthorized access, said GAO.

"These serious weaknesses present substantial risks to federal operations, assets and confidentiality," said Willemssen, the GAO's director of accounting and information. "The risks cover areas as diverse as taxpayer records, law enforcement, national defense and a wide range of benefit programs."

Illustrating the stakes involved, it said the Treasury Department's computer-security failings boosted the risk of fraud associated with billions of dollars of U.S. payments and collections.

At the Defense Department, such shortcomings "increase the vulnerability of various military operations that supporthe department's war-fighting capability," added GAO.

In addition, cracks in the system put huge caches of taxpayer and proprietary business information at risk of inappropriate disclosure, the survey said.

To test user-authentication and access controls, the investigators sought to pierce network security, often from off-site locations, with the cooperation of the agencies they were auditing.

They managed to break in almost every time, "gaining unauthorized access that would allow intruders to read, modify, or delete data for whatever purpose they had in mind," the report said.

The 24 agencies studied account for almost 99 percent of federal outlays. In addition to the Treasury and Defense Department, included were the departments of Energy, Health and Human Services, Transportation, Veterans Affairs, Agriculture as well as the Social Security Administration and Environmental Protection Agency.

©2000 CBS Worldwide Inc. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed. The Associated Press contributed to this report