Note: This testimony is also
available in Adobe
Acrobat format. You can obtain
the free Adobe Reader here.
Mr. Chairman and Members
of the Committee, I am pleased to appear before you
today to discuss the Office of Inspector General's (OIG)
work and other activities related to the security and
protection of the Department's critical information
technology (IT) systems, programs, and activities.
The Department of Commerce has numerous complex computer
systems that provide essential services to the public
and support critical mission activities, such as the
nation's weather services, environmental stewardship,
promotion of trade and economic growth, scientific research,
and technological development. As the Department's systems
have become more interconnected, vulnerabilities have
also increased, thus increasing the need to continuously
improve IT security measures. Strong IT security measures
are vital to (1) protecting the privacy of information,
(2) safeguarding the integrity of computer systems and
their networks, and.2 (3) ensuring the availability
of services to the American public and other users.
I cannot emphasize too much how important these measures
are.
Indeed, in our recent
Semiannual Reports
to the Congress, we
have identified "Strengthening Department-wide
Information Security" as one of the top 10 management
challenges facing the Department of Commerce because
of that issue's: 1. Importance to the Department's mission
and the nation's well-being, 2. Complexity and sizable
expenditures, and 3. Need for significant management
improvements.
During the past year, we have engaged in a number
of audit, inspection, evaluation, and other activities
involving Commerce IT security matters-all aimed at
strengthening IT security Commerce-wide. We have completed
evaluations of the Department's efforts to implement
its Critical Infrastructure Protection (CIP) plans.
We also have assessed the Office of the Chief Information
Officer's (CIO) IT security policy and the effectiveness
of its oversight of the Department's IT security program.
In addition, we have evaluated the use of persistent
Internet "cookies" and "web bugs"
on Commerce Internet sites. Furthermore, in support
of the OIG's fiscal year 2000 financial statement audits,
we have conducted security reviews of the Department's
financial management systems and their related networks.
Moreover, assessments of IT security policies and
practices are often an integral part of the operational
inspections we conduct of Commerce activities, units,
and offices domestically and overseas. These inspections
are intended to provide operating unit managers with
useful, timely information about their operations, including
IT security issues. IT security problems have also.3
been identified through our investigative work. In addition,
we have worked closely with many of the Department's
key IT managers, top security personnel, and senior
program officials in an effort to identify the most
critical IT security issues and help craft corrective
measures. Let me briefly summarize the results of some
of our recent efforts.
Early Progress Made in Critical Infrastructure Protection,
but Planning and Implementation Have Slowed
Last year, we evaluated the Department's CIP plan, identification
of minimum essential infrastructure (MEI) assets, and
vulnerability assessments of its cyber-based assets.
MEI assets are the physical and cyber-based assets essential
to the minimum operations of the economy and the government.
Our evaluation found that although the Department had
made initial progress by developing a Department-wide
CIP plan, identifying critical infrastructure assets,
and initiating vulnerability assessments, there were
several areas that warranted management attention: .
The Department's CIP plan needed to be strengthened
because several of its elements were outdated or missing,
and important milestones had slipped. The asset inventory,
vulnerability assessment framework, and budget estimates
included in the plan were not current. The plan also
did not include requirements for reviewing new assets
to determine whether they should be included as MEI
assets, periodically updating vulnerability assessments,
or developing a system for responding to infrastructure
attacks. . The MEI asset inventory needed to be reevaluated
because of limitations in data gathering. In most cases,
asset managers were neither interviewed nor given adequate.4
guidance before filling out complex questionnaires used
to gather asset information, and the officials most
knowledgeable about the assets were seldom interviewed
because of logistical problems and limited resources.
Establishing a reliable MEI inventory is important because
it forms the basis for later activities, such as selecting
the highest risk assets for vulnerability assessments
and taking remedial actions.
. Vulnerability assessments, remediation plans, and
budget justifications needed to be completed. Reportedly
due to resource constraints, the Department had current
vulnerability assessments for less than 10 percent of
MEI assets and had not developed any remediation plans.
The CIO's office agreed with our findings and stated
that the Department's focus would be on the broad spectrum
of IT security, which emphasizes assets critical to
the Department's mission and includes most cyber-based
MEI assets. Short-term actions were identified to improve
guidance to operating unit personnel involved in vulnerability
assessments and increase their involvement in the MEI
asset inventory, revise the MEI asset list, and evaluate
new assets to determine whether they should be included
as MEI assets.
Additional Focus Needed on IT Security Policy and Oversight
The CIO is responsible for developing and implementing
a departmental IT security program to ensure the confidentiality,
integrity, and availability of information and IT resources.
The CIO's responsibilities include developing policies,
procedures, and directives for IT security and providing
oversight of the IT security programs of the Department's
operating units..5 We conducted an evaluation to assess
the CIO's policies and the effectiveness of his oversight
of the Department's IT security program. Our review
focused on the CIO's compliance with laws and regulations
governing IT security and his actions in recent years
to oversee the Department's IT security program.
We found that although in the past IT security did
not receive adequate attention, in more recent years,
the CIO's office had expanded its focus on and increased
the resources devoted to IT security. For example, the
office conducted its first Department-wide assessment
of IT security planning in 1999 and reviewed operating
unit self-assessments in 2000, which resulted in increased
compliance with security requirements. Nevertheless,
policy and oversight need further improvements. Specifically:
. IT
security policy needs to be revised and expanded.
The Department's IT security policy is out of date because
it was developed in 1993 and 1995, prior to a significant
revision of OMB Circular A-130, which communicates policy
on the security of federal automated information resources.
The policy is also missing important components because
it has not kept pace with recent trends in technology
and related security threats. The Department's policy
must be kept current and complete because the operating
units use it as the foundation for their general and
system-specific policies. We recommended that the CIO's
office update and expand its IT security policy as soon
as possible.
. Additional
IT security compliance procedures are needed. Security
for many of the Department's systems has not been adequately
planned, and security reviews have not been performed.
In addition, several operating units do not have adequate
awareness and.6 training programs or adequate capabilities
for responding to IT security incidents. The Government
Information Security Reform Act (GISRA) requires the
CIO's office to conduct annual IT security evaluations
in 2001 and 2002 similar to the self-assessments it
monitored in 2000. We recommended that the office commit
to a program of reviews that extends beyond GISRA's
2-year review requirement. Moreover, the CIO's office
should work with the Department's acquisition and budget
managers to ensure that IT-related procurement specifications
include security requirements, and that funds for meeting
these requirements are included in operating unit budgets.
During our evaluation of the Department's IT security
policy, we provided the Department with a written analysis
that identified weaknesses and deficiencies in the policy,
and made recommendations for specific changes to bring
the policy into compliance with applicable laws and
regulations.
The CIO's office agreed with all of our recommendations
and cited a number of corrective actions it planned
to take to implement them. Among other things, it agreed
to revise, expand, and update the Department's IT security
policy; continue its compliance review program beyond
the 2-year period required by GISRA; and begin security
reviews as soon as possible.
Use of Internet "Cookies" and "Web Bugs"
Raised Privacy and Security Concerns
We evaluated the use of persistent Internet cookies
and web bugs by departmental Internet sites, as well
as the adequacy of the privacy statements posted on
the main web pages of the Department and its operating
units. We conducted our evaluation in response to Public
Law 106-.7 554, the Consolidated Appropriations Act
of 2001, which required the Inspector General of each
agency to submit a report to the Congress disclosing
any activity regarding the collection of information
relating to any individual's access or viewing habits
on the agency's Internet sites. Persistent Internet
cookies are data stored on web users' hard drives that
can identify users' computers and track their browsing
habits. Web bugs are software code that can monitor
who is reading a web page. These technologies are capable
of being employed in ways that could violate the privacy
of individuals visiting the Department's web sites and
can also pose security threats.
Web bugs are considered security threats because they
can perform malicious actions, including searching for
the existence of specific information, such as financial
information, on a user's hard drive, and downloading
files from, or uploading files to, a user's computer.
A web user would be unaware of the presence of web bugs
without using detection software. Even if such software
were used, the malicious actions performed by identified
web bugs could go undetected. We found that most of
the Department's Internet sites do not use either persistent
cookies or web bugs. However, we did find several instances
in which persistent cookies were being used without
a compelling reason or the approval of the Secretary,
as required by Department and OMB policy. We also found
a number of web pages using web bugs. At the time we
began our evaluation, the Department did not have a
policy regulating web bug use, but it promptly developed
and issued one when informed of the problem. Finally,
we found that many of the operating units' privacy statements
did not provide all of the information required by the
Department's privacy policy..8
We recommended that the Department's CIO direct operating
unit CIOs and senior management to implement a strategy
to control the use of persistent cookies and web bugs
and to certify annually that the operating unit is in
compliance with the Department's applicable policies.
We also recommended that the CIO direct operating unit
CIOs and senior managers to revise their privacy policy
statements to make them compliant with the Department's
policy. The CIO's office agreed with our findings and
worked with us to help ensure that the cookies we had
identified were removed. The Secretary of Commerce's
new Special Assistant for Privacy is working to remove
all web bugs and develop a uniform privacy policy statement.
Systems Security Audits of Departmental Financial Management
Systems Reveal Problems
Our audits of Commerce operating units' financial statements,
performed by certified public accounting (CPA) firms
under contract with us, include security reviews of
the Department's financial management systems and related
networks that support the statements. Our CPA contractors
use GAO's Federal
Information System Controls Audit Manual (FISCAM)
as a guide in performing these reviews. FISCAM provides
guidance on assessing the reliability of computer-generated
data that supports financial statements, including physical
security and logical access controls designed to prevent
or detect unauthorized access or intrusion into systems
and networks.
In 1999 we adopted a
systems security review strategy that provides for full
coverage of each financial management system and its
related networks on a two-year basis. Every two years,
a review addresses the six systems security areas identified
in FISCAM: (1) entitywide
security program planning and management,
(2) access controls,
(3) application
software development.9
and change control,
(4) systems software,
(5) segregation
of duties, and
(6) service continuity.
In the alternate years, we routinely conduct penetration
testing (in which someone playing the role of a hostile
attacker tries to compromise systems security) and application-level
testing. Review of the system environment for significant
changes and follow-up on open recommendations occurs
annually.
The audits of operating units' individual fiscal year
2000 financial statements included reviews of the general
system controls over the major financial management
systems at the seven data processing locations. In the
reports on our audits of the Department's fiscal year
1999 and 2000 consolidated financial statements, we
noted that these systems security reviews disclosed
weaknesses in controls over major financial management
systems at all seven locations that provide data processing
support. Specifically, these reviews found that:
1. Entitywide security program planning and management
needed improvement
at all seven locations. This control is the foundation
of an entity's security control structure and a reflection
of senior management's commitment to addressing security
risks. It is intended to ensure that security controls
are adequate, consistently applied, and monitored, and
that responsibilities are clear and properly implemented.
2. Access
controls for
both operating systems and the financial management
systems needed strengthening at all seven locations,
and monitoring of external and internal access to systems
needed strengthening at five locations. These controls
should limit or monitor access to computer resources
to guard against unauthorized modification, loss, and
disclosure..10
3. Applications
software development and change control needed
improvement at four locations. These controls should
help prevent the implementation of unauthorized programs
or modifications to existing programs.
4. Systems
software improvements
were needed at four locations. Controls in this area
should limit and monitor access to the important software
programs that operate computer hardware.
5. Segregation
of duties improvements
were needed at five locations. Appropriate controls
in this area include policies, procedures, and an organizational
structure to prevent one individual from controlling
key aspects of computer-related operations, thus deterring
unauthorized actions or access to assets.
6. To ensure service
continuity,
contingency plans needed to be prepared, updated, or
improved at all seven locations. Appropriate controls
in this area include procedures for continuing critical
operations, without interruption and with prompt resumption
of those operations, when unexpected events occur.
Of particular note, among the weaknesses identified
by the CPA firms in the area of entitywide security
program planning and management, was the fact that formal
comprehensive security plans either did not exist, were
outdated, or were not approved for the major financial
management systems and associated general support systems
on which the applications were processed. In addition,
risk assessments needed to be completed and approved,
and security monitoring needed to be performed..11
At four locations, penetration testing was also performed
on the network that supports the financial management
systems to identify weaknesses in access controls. As
part of the penetration testing, the CPA firms reviewed
the adequacy of access controls, which include logical
and physical controls. Logical access controls involve
the use of computer hardware and software to prevent
or detect unauthorized access, such as by hackers, to
networks, systems, and sensitive files by requiring
users to input user ID numbers, passwords, and other
identifiers that are linked to predetermined access
privileges. Physical controls involve keeping computers
in locked rooms to limit physical access. The firms'
penetration testing of logical controls found that in
some cases:
. Open modems
and ports were accessible to potential hackers.
. Sensitive information
on websites was readily accessible.
. Sensitive active system
services could allow unauthorized access, downloading
of files, and gathering of information.
. Firewall configurations
could allow a hacker to introduce a destructive virus.
In addition, physical access controls over networks
and financial management systems needed strengthening.
For example, at one location, automated exterior locking
systems had not been installed on doors to restrict
access, and the key card lock for the data center's
computer room was inappropriately placed on the inside
of the door, rather than the outside. In addition, personnel
did not consistently lock and secure their work areas.
At another location, hardware that processed very sensitive
information was located in an area accessible by numerous
employees and contractors and was not segregated in
an individually secure area
For fiscal year
2000, the CPA firms concluded that four operating units
had system security weaknesses that rose to the level
of "reportable conditions." Taken together,
these conditions, combined with the Department's lack
of an integrated financial management system, constituted
a material weakness in the audit of the consolidated
financial statements. In our report on the audit of
the consolidated statements, we recommended that the
CIO's office continue to develop and implement a database
for tracking and reporting on corrective actions planned
and taken to address the outstanding general controls
recommendations. We also recommended that the office
review, monitor, and provide guidance to the reporting
entities on their corrective actions planned and taken
in response to our current and prior years' audit reports
on general controls. We issued audit reports with recommendations
to correct the control weaknesses identified at each
of the seven data processing locations, and the operating
units generally agreed with our recommendations. The
Department and its operating units are required to provide
us with audit action plans that address each of our
recommendations. We have reviewed the plans submitted
to date and concur with the actions taken or planned.
Moreover, we are in the process of performing our annual
follow-up of the adequacy of the corrective actions
planned or taken.
IT Security Issues Have Also Been Identified Through
OIG Inspections and Investigations
We have also identified IT security issues through our
inspections and investigative work. Our inspections
unit, for example, conducted a 1999 assessment of the
Bureau of Export Administration's (BXA) Export Control
Automated Support System as part of a larger review
of BXA's administration of the federal export licensing
process for dual-use commodities. While we determined
that most of the system's general and application controls
were adequate, we.13 found that BXA's IT security controls
could be enhanced by improving database access controls,
preparing a security plan, performing periodic security
reviews, officially assigning the security duties to
its security officer, providing all users with current
security training, and restricting the number of BXA
employees with file manager access. BXA management implemented
some corrective actions immediately and agreed to take
action on our other recommendations dealing with the
IT security of its licensing system.
We are also conducting a series of inspections of
the National Weather Service's weather forecast offices
(WFOs) that have identified a number of IT security
issues that need to be addressed by local managers.
Among other problems, we noted that one WFO we visited
did not have a designated security officer, and office
personnel did not follow the Weather Service's policy
on IT security. We found other problems, which I cannot
describe in detail in a public hearing, that highlight
how vulnerable some systems can be without proper management
attention. Fortunately, the Weather Service has greatly
improved its IT security both locally and nationally
since the start of our review. During the past nine
months, we visited two other WFOs. Although we continued
to identify some IT security problems, we have found
that designated security officers have been named and
are receiving necessary training on IT security. More
importantly, WFO personnel appear to better understand
IT security concepts and requirements.
IT security problems have also been identified through
our investigative work. Through our OIG Hotline and
other information channels, specific incidents or allegations
involving IT security weaknesses, vulnerabilities, or
threats have been brought to our attention and examined.
For example:.14
. In one incident, a foreign hacker penetrated a network
server and installed software without the knowledge
of the system administrator. Had the software been activated,
the server would have been prevented from performing
its normal network services and would have been one
of many computers simultaneously activated to overload
a designated Internet site. As a result of the incident,
the number of points of access to the network was reduced
to a bare minimum, and existing monitoring software
was activated.
. In another incident, a hacker caused extensive damage
to an operating unit server, and it took more than 5
work days to repair the server and restore operations.
Because the software on the server was destroyed, the
system administrator was not able to determine how the
attack had occurred. Security features were added when
the software was restored, to reduce the risk of another
shutdown.
. In a third incident, an after-hours contract cleaning
employee used a computer that had not been properly
secured to gain access to the Internet via a network
system and view pornographic materials. Coordination
with the contracting officer, property manager, and
president of the contract company resulted in the employee's
immediate removal from the facility contract and subsequent
termination. In addition, the practice of routinely
leaving the computer on overnight was discontinued.
Additional OIG Reviews of IT Security Matters Are Either
Underway or Planned
We are currently conducting IT security evaluations
related to (1) the Economics and Statistics Administration's
and the Census Bureau's preparation and release of the
Advance Retail Sales.15 Principal Economic Indicator,
(2) the Department's classified information systems,
and (3) the Department's IT security program and practices,
as required by the Government Information Security Reform
Act.
The objective of our security evaluation of the Advance
Retail Sales indicator is to determine whether adequate
internal controls and system safeguards are in place
to prevent the unauthorized disclosure or use of the
economic indicator data before its release to the public.
We have found that employees dealing with the indicator
do not always have appropriate background investigations
and that their positions are not always assigned the
appropriate level of risk as required by Title 5, Part
731, of the Code of Federal Regulations and OMB Circular
A-130. In some instances, the Department's records did
not identify the type of investigation done, if any,
for personnel working on Principal Economic Indicators.
We also noted a lack of guidance from the Office of
Human Resources Management, as well as from the Office
of Security, suggesting that the problems associated
with assigning appropriate risk levels to positions
and ensuring that background investigations are performed
may exist throughout Commerce. We are conducting additional
work to examine this issue.
Our review of the Department's classified information
systems will assess the adequacy of its policies for
protecting classified information and the effectiveness
of its oversight of these systems.
The GISRA-mandated review is the annual evaluation
of the Department's IT security program and practices.
This evaluation will incorporate information from our
security reviews, as well as results of related evaluations
performed by operating units, GAO, and contractors.
We are also continuing our security reviews of Commerce's
financial management systems and related.16 networks
as part of our fiscal year 2001 financial statements
audits. These reviews will be in line with our IT security
review strategy and will include penetration testing
of the U.S. Patent and Trademark Office and FISCAM reviews
for the other operating units.
The need for the OIG to provide oversight and evaluation
of IT security will be increasingly critical in the
coming years. Our independent evaluation of the Department's
IT security program being performed under GISRA and
our security reviews of the Department's financial management
systems show that although the Department is giving
greater attention to IT security, serious issues remain
to be resolved. These issues appear to be the result
of an earlier lack of attention to IT security, limited
resources, and an environment in which the risks, threats,
and vulnerabilities have continued to escalate in number
and complexity. The weaknesses identified by GAO's recent
network vulnerability analysis of the Department underscore
our concerns.
In our independent GISRA evaluation for the next fiscal
year, we plan to evaluate the effectiveness of operating
unit IT security programs and to conduct security evaluations
of specific general support systems and major applications.
We will use the findings of our current GISRA evaluation
and of GAO's security audit to assist us in identifying
specific operating units, general support systems, and
major applications to evaluate in the future.
Cooperative Efforts Needed to Address IT Security Weaknesses
I am pleased to note that, just last month, my office
entered into a memorandum of agreement with the Department's
Office of the CIO and Office of Security to define our
respective roles and.17 responsibilities relating to
the development, implementation, and management of the
Commerce IT security program. This agreement is intended
to promote a partnership among the three offices that
both ensures complete coverage of IT security matters
and prevents wasteful duplication of effort.
Under the agreement, the CIO's office has the basic
responsibility for developing and implementing the Commerce-wide
IT security program, which includes developing IT security
policies and procedures, promoting IT security awareness
and training, serving as the Department's critical infrastructure
assurance officer, and convening a meeting of the incident
response group when incidents or intrusions occur. Commerce's
Office of Security has the primary responsibility for
security for the Department's classified systems and,
in conjunction with the Department of State, for IT
security at Commerce overseas posts. My office is responsible
for conducting investigations of IT incidents and intrusions,
and for conducting reviews of the Department's IT security
program and individual systems, including the annual
independent evaluations of the program required by GISRA.
In closing, it is clear that cooperative, continuous,
and concerted efforts are needed by each of us-and I
mean each of us-if we are to address IT security weaknesses.
These efforts are needed if we are to have any chance
of staying at least one step ahead of the hackers and
others that see IT security as some sort of cat-and-mouse
game.
I am confident that the
senior management of the Department and its operating
units increasingly recognize the need to take a proactive
approach to do this. For example, the Secretary's recent
directive increasing the authority of operating unit
CIOs and making them a more integral part of the management
team is an important initiative. Likewise, the recent
appointment of a Senior.18 Advisor to the Secretary
for Privacy should be instrumental in addressing such
issues as cookies, web bugs, and other security/privacy
matters. And program officials are also being strongly
reminded that they too have key IT security responsibilities
and need to work closely with operating unit CIOs and
security officials to ensure an effective security program.
We intend to continue our partnership with all of these
managers by identifying weaknesses and potential vulnerabilities
in IT security and by searching for ways to improve
it. Through this relationship, I believe we can help
strengthen IT security within the Department.
This concludes my statement. A list highlighting some
of the reports we have issued that address IT security
issues is included as an attachment. Mr. Chairman, I
would be happy to answer any questions you or other
members of the Committee might have
ATTACHMENT
U.S. Department of Commerce
Office of Inspector
General Recent Audit, Inspection, and Evaluation Reports
on Information Technology Security Matters Evaluations
Evaluations
1 Office
of the Chief Information Officer: Use
of Internet "Cookies" and "Web Bugs"
on Commerce Web Sites Raises Privacy and Security Concerns,
OSE-14257, April 2001
2 Office
of the Chief Information Officer: Additional
Focus Needed on Information Technology Security Policy
and Oversight,
OSE-13573, March 2001
3 Office
of the Chief Information Officer:
Critical Infrastructure Protection: Early Strides Were
Made, but Planning and Implementation Have Slowed,
OSE-12680, August 2000
4 Bureau
of the Census: Computer
Security for Transmission of Sensitive Data Should Be
Strengthened,
OSE-10773, September 1998
Financial Statements Audits
[Note: These audits are performed annually; listed
below are only the reports covering FY 2000. In addition,
the reports on security reviews are not publicly available
documents.]
5 Department
of Commerce: Consolidated
Financial Statements, FY 2000,
FSD-12849-1, March 2001
6 National
Institute of Standards and Technology, Improvements
Needed in the General Controls Associated with Financial
Management Systems,
FSD-12859-1, February 2001
7 Economic
Development Administration, Improvements
Needed in the General Controls Associated with Financial
Management Systems,
FSD-12851-1, January 2001
8 Bureau
of the Census, Improvements
Needed in the General Controls Associated with Financial
Management Systems,
FSD-12850-1, January 2001
9 National
Technical Information Service, Improvements
Needed in the General Controls Associated with Financial
Management Systems,
FSD-12857-1, January 2001
10 Office
of the Secretary, Follow-up
Review of the General Controls Associated with the Office
of Computer Services/Financial Accounting and Reporting
System, FSD-12852-1,
January 2001
11 International
Trade Administration, Review
of General and Application System Controls Associated
with the Fiscal Year 2000 Financial Statements, FSD-12854-1,
January 2001
2 National
Oceanic and Atmospheric Administration, Improvements
Needed in the General Controls Associated with Financial
Management Systems,
FSD-12855-1, December 2000
13 United
States Patent and Trademark Office, Improvements
Needed in the General Controls Associated with Financial
Management Systems,
FSD-12858-1, December 2000
Inspections
14 National
Oceanic and Atmospheric Administration:
San Angelo Weather Forecast Office Performs Its Core
Responsibilities Well, but Office Management and Regional
Oversight Need Improvement,
IPE-13531, June 2001
15
National Oceanic and Atmospheric
Administration:
Raleigh Weather Forecast Office Provides Valuable Services,
but Needs Improved Management and Internal Controls,
IPE-12661, September 2000
16 Bureau
of Export Administration:
Improvements Are Needed to Meet the Export Licensing
Requirements of the 21st Century,
IPE-11488, June 1999
17 Office
of Security: Vulnerabilities
in the Department's Classified Tracking System Need
to Be Corrected,
IPE-11630, March 1999
