Outside hackers breaking into government computers aren't the only enemies of federal computer security, experts testified at a Senate hearing Wednesday. Corrupt employees can sell citizens' information and tamper with agency data if federal managers aren't careful.
Senate Governmental Affairs Committee Chairman Fred Thompson, R-Tenn., noted at the hearing that computer crime is often committed by insiders.
"While it is very important to protect our government computers from outside hackers who break into our computers through high-tech doors, we must also look at the internal use of our computers," Thompson said.
For example, in 1996 and 1997 the Social Security Administration's inspector general uncovered 12 employees involved in a credit card fraud conspiracy orchestrated by West African syndicates. The employees sold citizens' records from Social Security databases to the syndicates for $10 to $50 per record. An inspector general investigation discovered the employees supplied 20,000 records to the syndicates, which were used for $70,000,000 in fraudulent credit card purchases.
A GS-8 Social Security representative in Brooklyn, N.Y., admitted to taking 30 records a day for two years and giving them to a contact at the New York City Department of Social Services, who used the information along with stolen credit cards. A GS-5 claims clerk in Jamaica, N.Y., sold between 1,000 and 1,500 records to the syndicates.
In another case, a GS-11 claims representative in Florida was found guilty of falsifying personal data filed with the government in what Thompson described as a "virtual murder" case. The claims representative tampered with an acquaintance's Social Security record, marking her as deceased, after the two had a disagreement.
James G. Huse, Jr., acting inspector general at SSA, said employee fraud prevention and detection is the IG office's number one mission. The office uses computer logs to uncover employee abuses, and publicizes successful prosecutions of corrupt employees to deter other workers from attempting to violate beneficiaries' privacy.
Gene Dodaro, assistant comptroller general at the General Accounting Office, said computer security is a high-risk area governmentwide. One major problem is that agencies give too much access to too much data to too many people, Dodaro said.
GAO issued the following recommendations for improving internal computer security:
- Low-level employees with little need for broad access should have limited security privileges.
- Each user should have his or her own account and password. Otherwise it is impossible to trace specific actions to an individual.
- Managers should develop monitoring systems to deter and identify improper computer use.
- Agency access controls should be thorough, eliminating security gaps.
- An employee's account should be eliminated immediately when the employee leaves the agency or his or her responsibilities no longer require access to certain files.
"These types of weaknesses make the financial transaction data and personal information on veteran medical records and benefits stored on these systems vulnerable to misuse, improper disclosure and destruction," GAO said.
VA and Social Security officials agreed they need to step up their efforts to improve internal computer security controls.