GAO: Public info open to hackers

Hackers can gain access to sensitive medical and financial information on nearly every American because of widespread security weaknesses in agency computer systems, officials told the Senate Governmental Affairs Committee last week.

The General Accounting Office told the committee that significant information security weaknesses exist at all of the 24 largest federal agencies— placing critical defense and financial operations at risk— and 17 of those agencies have deficiencies in their security planning and management. The most common weakness is poor control over who has access to sensitive data. Inadequate management and leadership from the Office of Management and Budget has exacerbated the computer security problem, said Gene L. Dodaro, GAO's assistant comptroller general.

GAO said external and internal auditors at the Social Security Administration and the Department of Veterans Affairs found security shortcomings that leave data vulnerable to hackers who could steal the information or manipulate it.

Both agencies defended their security practices but also admitted the audits uncovered security problems of which they were not aware. The audit of SSA revealed security breaches involving passwords, unprotected modems, lax implementation of audit trails and the vulnerability of the e-mail system, said Sen. Fred Thompson (R-Tenn.), the committee chairman.

John Dyer, principal deputy commissioner at SSA, said computer security is more difficult to tighten because SSA has recently moved from mainframes to a distributed computer environment and because the agency handles a huge volume of data. "I agree with the GAO that we need to do better," Dyer said. "The audit came up with things we were not aware of, and we're jumping on them."

Dyer said SSA agreed with nearly all the auditors' 43 recommendations on how the agency could better protect its data, and the agency has completed 30 of the suggestions. The actions taken include limitations on the use of modems, implementation of new password guidelines and greater access controls for programmers and other system users, Dyer said. The agency also has installed online an automated program designed to catch fraud by detecting unusual activity.

At the VA there has been a "major failure" in general computer security management planning, said Harold F. Gracey Jr., acting assistant secretary for information and technology in the VA. "We clearly have weaknesses," he told the committee.

Gracey said the VA intends to implement recommendations made by GAO, including improving control over access, protecting the systems from unauthorized access and implementing a department-wide computer security planning and management program.

Agencies' awareness of computer security problems has increased, but it has been too reactive, Dodaro said. "They have to take a comprehensive, proactive look at security, make it a top management priority and make it part of the fabric of [their operations]," he said.

Thompson demanded more leadership from OMB. "There's not one tangible thing that I can see that's been done...from a governmentwide standpoint to highlight this problem and to instruct people as to specific things that are expected out of them in these agencies," Thompson said.

The GAO reports based their conclusions on audits by independent companies and the inspector general's offices at SSA and the VA.

Two other limited distribution reports were issued with specific details about the vulnerabilities of government computer systems. These were sealed because of their sensitive nature and their potential to embarrass the agencies, said Bill Greenwalt, a member of the committee staff.