EPA shuts Web sites amid charges of lax security

Weaknesses in the Environmental Protection Agency's computer security system point to a general lack of Clinton administration oversight to protect sensitive information, a House Commerce Committee spokesman charged Thursday.

"It was good political theater for the President to hold a summit on computer security, but his own house is not in order," said spokesman Steve Schmidt. Committee Chairman Tom Bliley, R-Va., "feels it important that the American people should know the administration has failed on security issues."

EPA pulled down its public and private Web sites Wednesday night, shuttering all but the agency's internal e-mail system, out of fear of a possible hacking attack against the agency since the committee had scheduled a Thursday hearing on its security weaknesses.

"The hearing was cancelled because it would have attracted a lot of media attention," Schmidt said at a media briefing Thursday afternoon to release a General Accounting Office study examining the EPA's security weaknesses. "We knew they would be hacked into immediately."

An EPA statement confirmed the agency's fears of a hacking attack.

"The decision to temporarily close access to the Web site was made after a meeting Wednesday in which computer security experts warned that the public attention brought to the agency's potential computer vulnerabilities made the EPA a likely target for hackers," an EPA statement said. "We are taking all necessary steps to prevent unauthorized access to our systems."

GAO essentially hacked into EPA's sites to point out weaknesses in its system. The congressional watchdog agency has been working with EPA for years to correct the weaknesses.

"EPA cannot ensure the protection of sensitive business and financial data maintained on its larger computer systems or supported by its agency wide network," according to David McClure, GAO's associate director of Governmentwide and Defense Information Systems, in testimony for the committee's cancelled hearing.

Schmidt said the committee gave no assurances to the EPA that the GAO's findings would not be released if it took down its Web site. GAO's final report on the matter is expected by the summer.

Schmidt added that the committee is considering asking GAO to conduct similar hacking tests on other agencies under the committee's jurisdiction.

Bliley and the agency have had a tenuous relationship. Last year, the committee chairman introduced legislation that would have prevented the EPA from publicly disseminating so-called "risk management assessment" plans for the 66,000 chemical plants electronically. Congress reached a compromise to delay the information's release for one year.