Many of the largest federal agencies are not adequately protecting themselves against computer-based attacks, said a top General Accounting Office official whose agency successfully penetrated several of the government's mission-critical systems.
In a report and testimony presented to a Senate Judiciary subcommittee on Wednesday, Jack Brock, director of government and defense information systems for the GAO, said that his agency was able to obtain sensitive, but not classified information, by breaking into NASA's computers in a security test.
"The last thing I want to see is a headline saying that 'GAO brings down critical system'," Brock said in response to a question from Sen. John Kyl, R-AZ, chairman of the Technology, Terrorism, and Government Information Subcommittee of the Judiciary Committee.
Other audits by the GAO and agency inspectors general found that 22 of the largest federal agencies-including Departments of Defense, Agriculture and Veterans Affairs-have significant computer security holes, Brock said. Poor information security management procedures were to the blame for most of the problems, he said.
Kyl trumpeted the report's findings and questioned whether the Clinton Administration was adequately addressing computer security weaknesses. "You are saying that 22 agencies of our government show persistent computer weakness that put them at risk, and that they already have been adversely affected by system attacks?" Kyl asked incredulously. After Brock assented, Kyl retorted: "I don't believe the message has gotten out yet."
Brock's testimony, which came on the heals of two separate reports this month-one on the implications of the Y2K computer crisis for network security and the other on the state of lax computer security at the Department of Veterans Affairs-also cited hacking attacks on the Department of Defense and a weakness in computerized payroll processing at the Department of Agriculture that could have caused improper payments.
"Agencies have responded to scores of recommendations for improvements made by us and by agency inspectors general," Brock testified. "However, similar weaknesses continue to surface because agencies have not implemented management framework for overseeing information security on an agencywide and ongoing basis."
He also said that agencies improved their computer security when faced with congressional oversight, citing Y2K as an example.