Investigators were able to break into internal Environmental Protection Agency systems over the Internet, a spokesperson for the House Commerce Committee said Tuesday, demonstrating significant computer security vulnerabilities at EPA that hackers could exploit.
"These weaknesses pose a serious threat to the integrity of EPA's information systems, and, if uncorrected, could allow unauthorized users to take control of EPA's network operations," David McClure, associate director of the General Accounting Office's Accounting and Information Management Division, wrote in a Dec. 17 letter to Rep. Tom Bliley, R-Va., chairman of the Commerce Committee.
Reacting to McClure's letter, Bliley accused EPA of risking hundreds of millions of dollars worth of EPA computer systems and data, as well as the security of other federal agencies connected to EPA systems.
Bliley has questioned EPA's security in the past because the agency is privy to trade secrets and national security-related information.
EPA itself has been concerned about its computer security defenses for some time. EPA's own inspector general discovered in 1997 that the agency was vulnerable to hacker attacks. Hackers raided the agency six times from October 1992 to November 1997. In its 1998 Federal Managers' Financial Integrity Act report, EPA acknowledged that its computer security plans were "deficient or non-existent, potentially placing agency organizations in a state of non-compliance with federal and agency regulations."
In May, Assistant EPA Administrator Romulo Diaz informed Bliley that the agency was "implementing an enhanced firewall strategy that will provide EPA with additional capabilities for detecting and thwarting unauthorized access to our computers and computer networks."
Diaz also told Bliley that none of the hacks on EPA's computers had resulted in the compromise of confidential information.
In a statement, the EPA said it welcomed GAO's computer security review and is acting on the results of GAO's investigation.
"EPA is continuing to work hard to maintain the security of its information systems," the statement said.
GAO's investigation into EPA's computer security is continuing, and the final report is not expected until spring, said Jack Brock, director of governmentwide and defense information issues at GAO.
NEXT STORY: State, embassies brace for Y2K