GAO hacks Army Corps computer system

GAO hacks Army Corps computer system

tballard@govexec.com

The U.S. Army Corps of Engineers' core financial computer system is full of computer security holes, making sensitive financial data vulnerable to hackers, a new General Accounting Office study says.

The Corps' key financial system processes military engineering, construction, civil works and real estate projects. According to GAO, users with valid access, as well as hackers, could change or alter information and disclose or destroy sensitive financial data, including social security numbers and other personal information stored in the system.

GAO hired a contractor, PricewaterhouseCoopers, to test the system's vulnerabilities. The firm successfully hacked into the Corps' computer system and found serious weaknesses, according to the report, "Financial Management: Significant Weaknesses in Corps of Engineers' Computer Controls,"(GAO-01-89).

Problem areas included: remote access to the Corps' system; users with access to unauthorized areas; infrequent logging and monitoring of individuals' access to stored data; and the absence of audit logs to detect and monitor security violations.

But Russell Fuhrman, acting commander of the Corps, disagreed with GAO's findings, and said he did not believe his agency had "pervasive weaknesses" as the report asserted.

"The Corps of Engineers' automated systems are continually being modernized and security strengthened," Fuhrman said. "We are working hard to provide the government and our customers with a safe and secure information system and financial management operating system."

Fuhrman said the release of the report is premature since his agency has already taken steps to fix many of the problems GAO identified and because PricewaterhouseCoopers has not yet completed follow-up work that might show that many of the problems are resolved.

Still, GAO stuck with its original assessment, saying that the Corps' efforts to correct weaknesses need to be institutionalized as a continuous program of risk management.