Report details problems with EPA's cybersecurity

After months of investigating, the General Accounting Office has confirmed that widespread internal weaknesses have rendered the Environmental Protection Agency's information security program ineffective.

In February, EPA temporarily shut down its Internet connection due to the severity of its security problems. The problems aren't new. EPA's inspector general twice pointed out major inadequacies within the agency's information security program, in 1997 and again in 1999, and GAO has been working for years with EPA to correct such weaknesses.

Critics fear that the agency's lax computer security will enable corporate or foreign spies and criminals to access sensitive data, such as copyrighted corporate formulas, that the agency collects for environmental purposes.

Rep. Tom Bliley, R-Va., requested the report, "Information Security: Fundamental Weaknesses Place EPA Data and Operations at Risk" (AIMD-00-215). A February hearing scheduled by Bliley on EPA's cybersecurity weaknesses was canceled, in part due to fear it would invite hacker attacks. A preview of GAO's investigation results was given instead.

GAO's final report found that the access controls, such as passwords and system privileges, to EPA's networks and operating systems "were riddled with security weaknesses." GAO also found holes in EPA's cybersecurity planning, control of Internet services, network monitoring, and security software implementation, configuration and maintenance.

The security problems are being exploited, GAO said. The report cites about two dozen instances where EPA systems were compromised or misused. And EPA's own log files, lists of network activity, "showed that EPA was the subject of repeated systematic probes from a variety of domestic and foreign sources."

In keeping with the best practices of the information security field, GAO recommended a regimented system of reviewing log files, layers of security software, constant risk assessment, as well as protocols for dealing with incidents agencywide as they arise, as solutions for EPA's problems.

So far, EPA "has moved aggressively to reduce exposure of its systems and data," GAO said.

"We were aware of several technical problems requiring both short-term and long-term corrective action and had already begun addressing these issues prior to February, when we temporarily shut down our Internet Web site to accelerate these enhancements," wrote Margaret N. Schneider, EPA's principal deputy assistant administrator in the agency's response to GAO's draft report.

EPA "recognizes that the agency must continue to improve security procedures," Schneider wrote.

In a letter to Bliley, GAO said it did not include details on EPA's technical weaknesses in the public version of the report due to the sensitive nature of the information.