US Gov Computer Security Said Laxgreenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread
Monday September 11 10:07 AM ET U.S. Government Computer Security Said Lax
By Jim Wolf
WASHINGTON (Reuters) - Lax computer security poses a growing threat to a wide range of critical U.S. government operations and property, congressional investigators reported on Monday.
Security lapses at all 24 federal agencies reviewed ``place a broad array of federal operations and assets at risk of fraud, misuse and disruption,'' said the General Accounting Office (GAO), the non-partisan investigative arm of Congress.
Government officials are increasingly concerned about potential cyber attacks motivated by everything from juvenile mischievousness to intelligence gathering, crime and sabotage, the survey said.
As authorities rely more and more on networked computers, ''there is a greater likelihood that information attacks will threaten vital national interests,'' GAO added.
Each of the 24 audited agencies were faulted for ``serious weaknesses'' in controls on access to their systems, up from 23 in September 1998, when the last such GAO audit was released.
Data gathered in the past year show that federal computer security is ``fraught with weaknesses and that, as a result, critical operations and assets continue to be at risk,'' it said.
A Variety Of Lapses
The report, prepared for a House of Representatives Government Reform subcommittee, said accounts often remained open even after employees or contractors wound up their employment.
Likewise, access was not promptly cut off nor curtailed to reflect changes in responsibilities. And managers were routinely giving ``overly broad access privileges to very large groups of users'' rather than doling access out to those with a specific need to know, the study found.
At one unnamed agency, all 1,100 users had been granted access to sensitive system directories and settings, said the survey requested by Rep. Stephen Horn, the California Republican who chairs the subcommittee on government management, information and technology.
The use of ``default,'' easily guessed and unencrypted passwords, significantly increased the risk of unauthorized access, said GAO.
Illustrating the stakes involved, it said the Treasury Department's computer-security failings boosted the risk of fraud associated with billions of dollars of U.S. payments and collections.
At the Defense Department, such shortcomings ``increase the vulnerability of various military operations that support the department's warfighting capability,'' added GAO.
In addition, cracks in the system put huge caches of taxpayer and proprietary business information at risk of inappropriate disclosure, the survey said.
To test user-authentication and access controls, the investigators sought to pierce network security, often from off-site locations, with the cooperation of the agencies they were auditing.
They managed to break in almost every time, ``gaining unauthorized access that would allow intruders to read, modify, or delete data for whatever purpose they had in mind,'' the report said.
The 24 agencies studied account for almost 99 percent of federal outlays. In addition to the Treasury and Defense Department, included were the departments of Energy, Health and Human Services, Transportation, Veterans Affairs, Agriculture as well as the Social Security Administration and Environmental Protection Agency.
-- Rachel Gibson (firstname.lastname@example.org), September 11, 2000
People never will learn, if a machine is connected it's brains (memory) can be sucked out. There is just too much at stake (private, government, or commercial) information it is all of value to someone. In a world with no standards, how can stealing information from people who are stealing information from you be wrong. commercial and government intrests have set the standard who are we not to use it... Lee Blocher
-- Lee Blocher (email@example.com), September 11, 2000.