FC: GAO says EPA's computer security is "riddled" with weaknesses

[Declan McCullagh <declan () well com>]

*********

Exact URL is:
http://com-notes.house.gov/ai00215.pdf

*********

Press release:

Bliley Releases GAO's Findings on Computer Security At EPA

Report Calls EPA's Computer Network  "Riddled With Security Weaknesses"

Washington(August 11) --Ineffective, inadequate, and riddled with weaknesses.
This is how the General Accounting Office (GAO) described the Environmental
Protection Agency's (EPA) agencywide information security program.

     Commerce Chairman Tom Bliley (R-VA), who in August 1999 requested the GAO
audit of EPA's system as part of his review of the computer security policies
and programs of certain Federal agencies within the Committee's jurisdiction,
released the report today.

     "The GAO report, coupled with the Committee's other recent oversight in
this area, shows that, despite the tough rhetoric, the Clinton-Gore
Administration's cyber-security policy amounts to little more than paper
pushing," Bliley said today in releasing the GAO Report.

     In February of this year, after GAO's preliminary review of EPA's system
found "serious and pervasive problems," Chairman Bliley requested that EPA take
down its computer systems and initiate a major overhaul of its computer network
security. The EPA reluctantly complied.

     "It is unfortunate," Bliley said, "that years of gross mismanagment 
at the
Agency have left these sensitive systems and data at such serious risk for so
long.  But it is even more unfortunate that it took this Committee's oversight
and public pressure to motivate the Agency to undertake responsible steps to
ensure its computer systems provide adequate protection for sensitive Agency
data.

     "EPA, while shocking in degree, is not alone when it comes to poor
management of cyber security.  GAO and Committee oversight of other Federal
agencies continues to reveal that, rather than being a model for the private
sector to follow -- as the President has claimed he wants it to be -- the
Federal government appears instead to be a model of what not to do when it 
comes
to managing information security.

     "In today's world, information security is crucial. It is disturbing that
government agencies with critical computer systems have paid so little 
attention
to this issue, and are so vulnerable to attacks.  It also reflects a lack of
leadership from the White House, which under current law should be coordinating
agency efforts to improve cyber security, but isn't.

     "I will continue my review of agency information systems in an effort to
improve the Federal government's weak computer security practices."

     In late July 2000, Bliley requested the GAO complete a similar audit 
of the
Commerce Department's cyber security program.  Bliley also recently launched a
review of the Food and Drug Administration's (FDA) information management
policies and practices, requesting records detailing the agency's computer
security practices and any hacker attacks against FDA.

 -30 -
a copy of the GAO Report is available at:
 www.house.gov/commerce