Determined hackers could easily break into government computers and access information ranging from Social Security numbers to defense secrets, according to a report released Monday by the U.S. General Accounting Office (GAO).
“Federal computer systems are riddled with weaknesses that continue to put critical operations and assets at risk,” GAO director of civil agencies information systems Joel C. Willemssen said Monday in testimony before a subcommittee of the U.S. House Committee on Government Reform.
“These weaknesses placed a broad range of critical operations and assets at risk for fraud, misuse and disruption,” Willemssen added. “In addition, they placed an enormous amount of sensitive data — much of it pertaining to individual taxpayers and beneficiaries — at risk of inappropriate disclosure.”
The GAO report, “Information Security: Serious and Widespread Weaknesses Persist,” was a follow-up to a 1998 report on computer security within the federal government. The new report found that significant weaknesses identified in the earlier report had not been fixed, and that security weaknesses exist in all 24 government agencies reviewed.
Personal Information Unprotected
Personal information about individuals was easily obtained from a variety of government computers. In May 2000, GAO auditors were able to gain access sensitive personal information from the Department of Defense (DOD) through a file that was publicly available over the Internet.
The auditors tapped into this file without valid user authentication and gained access to employees’ Social Security numbers, addresses and pay information.
The country’s defense secrets are also at risk of unauthorized exposure. According to the report, “Serious weaknesses in DOD information security continue to provide both hackers and authorized users the opportunity to modify, steal, inappropriately disclose and destroy sensitive DOD data.”
IRS, SSA, EPA Not OK
Sensitive personal information stored on Internal Revenue Service (IRS) computers was also at “serious risk of unauthorized disclosure, modification or destruction.” According to the report, the IRS did not always implement controls to prevent, limit, or detect access to computing resources.
Although information from Social Security Administration (SSA) computers could not be accessed improperly, the report concluded that weaknesses in the SSA’s information protection control structure place sensitive SSA information at risk of unauthorized disclosure or modification.
Environmental Protection Agency (EPA) computers are “highly vulnerable to tampering, disruption and misuse from both internal and external sources.” Data at risk, according to the GAO, is payroll information, confidential information from private businesses and sensitive data on human health and environmental risks.
As part of the audit, the GAO attempted to break into the computer systems it was studying from remote locations, with the cooperation of the agencies being audited. They were successful almost every time in “gaining unauthorized access that would allow intruders to read, modify or delete data for whatever purpose they had in mind.”
The GAO’s findings are made even more compelling in light of a recent Federal Trade Commission (FTC) report that calls to the FTC’s Identity Theft Hotline had tripled over the last six months.
The hotline received more than 1,000 calls a week during July.
Hacker at Work
As if to prove the GAO’s point, on Friday a hacker calling himself Pimpshiz hacked into and smeared 110 Web sites, including several government sites, with a pro-Napster message. Among the government sites defaced were the Federal Maritime Commission’s site and a NASA site.
Pimpshiz told the E-Commerce Times that he chose sites that were “popular and high profile — spreads the word to more people.”
He also said that he believes hacking is a crime but that he avoids getting caught “with creativity.”