are here today to continue this Committee's review of
computer security -- or lack thereof as the case may
be -- at Federal agencies under our jurisdiction. Since
1998, this Committee has reviewed computer security
policies and practices at the Environmental Protection
Agency, the Department of Energy, the Health Care Financing
Administration, and today we will be focusing our attention
on the Department of Commerce. Without exception, we
have found significant security problems at each of
these agencies, all of which either took -- or are taking
-- prompt action to correct the deficiencies identified
as a result of our oversight. Unfortunately, it appears
that information security rarely becomes a priority
within an agency until the white-hot lights of public
and congressional attention focus on that agency's specific
we will hear from information security experts at the
General Accounting Office who, at this Committee's request,
conducted an in-depth evaluation of the Department's
management and implementation of computer security at
seven of its operating divisions, including the Bureau
of Export Administration, the International Trade Administration,
the Economics and Statistics Administration, and the
Office of the Secretary.
team of ethical hackers identified and exploited vulnerabilities
in the computer systems of these divisions to gain virtually
unlimited access to them internally, from within the
Department's network, and externally, from the Internet.
Not only could these systems be accessed without authorization,
but the information contained in them could be read,
modified, or deleted at will - even with respect to
the most sensitive systems and data files within these
seven divisions. And with such access also comes the
power to completely disrupt critical Department operations.
is no secret that, of the systems reviewed and found
to be vulnerable by GAO, many contain highly sensitive
personal, financial, commercial, and national security-related
data, and are critical to the Department's overall mission.
Included in this list are the export control licensing
systems and the networks that are used by the International
Trade Administration for communications with our foreign
Commerce outposts around the world.
state of the Department's security was truly deplorable.
GAO found instances in which systems did not require
passwords, even for system administrator accounts. Other
systems had easily guessed passwords, such as "password."
Certain passwords and password files were either unencrypted
or not otherwise protected, permitting anyone on the
network - authorized or unauthorized -- to read and
obtain even the most powerful account passwords. And
six of the seven bureaus did not even limit the number
of times an individual could try to log on to the system,
allowing would-be hackers excessive opportunities to
crack these poor password controls.
also found that poor network security and configurations
permitted GAO's experts to circumvent the limited security
controls that were in place, and thus to travel between
and among the seven connected bureaus - essentially
finding that the lowest common denominator among these
bureaus set the security standard for the rest of them.
Some of the bureaus did not even have firewalls in place
to protect all of their sensitive internal systems from
the Internet -- or, if they did, they were either so
poorly implemented as to be largely ineffective, or
could be easily bypassed via alternative access routes.
These failures place all of the connected bureaus at
significant risk of intrusions.
troubling, and despite advance notice of the GAO hacking
attempts, the Department's monitoring of cyber intrusions
failed to detect the overwhelming majority of GAO's
intrusion and scanning efforts, including the successful
ones. In fact, GAO reports that its hackers gained access
to one system, only to find that a Russian hacker had
been there before them, without the Department's apparent
knowledge. And only two of the bureaus reviewed by GAO
had formal intrusion detection systems in place. In
short, the Department simply has no idea of whether
its sensitive systems are being or have been compromised
--- a totally unacceptable situation.
reason for these failures, according to GAO, is the
lack of an effective security management program at
the Department. Basic and longstanding Federal security
requirements have essentially been ignored for years.
Only three of the 94 sensitive systems reviewed by GAO
had documented risk assessments, and only seven had
current security plans, none of which had been approved
yet by management. The Department's computer security
policies have not been updated since 1995, despite the
tremendous growth of the Internet and the increased
inter-connectivity between Commerce bureaus and the
outside world. And there are virtually no minimum security
requirements for all Commerce computer systems - even,
for example, on basic issues such as password lengths
addition to GAO, we will hear today from the Department's
Inspector General, which also has done work in this
area. A recent IG report essentially confirmed that
the lack of effective security management found by GAO,
with respect to seven of the Department's operating
divisions, was not unusual. Across the Department, adequate
risk assessments and security plans are the exception
rather than the norm, with roughly 92% of the Department's
systems failing to comply with at least one of these
Federal security requirements.
IG's financial control audits, which, beginning this
year, contained a limited penetration test of computer
security controls, also confirm that access control
problems similar to those identified at the seven bureaus
reviewed by GAO exist at many other Commerce bureaus
as well, including the Census Bureau, NOAA, NIST, and
others, posing threats from both internal and external
could this situation exist, and for so long? The short
answer is that, until this Committee started asking
questions early last year, no one at the Department
was even seriously looking at these issues. Despite
Federal requirements for independent reviews of security
controls on major systems on a routine basis, GAO found
that neither the Department's chief information officer,
nor six of the seven bureaus reviewed, had conducted
any such audits or oversight.
this situation is not at all unusual. Our cyber security
reviews have consistently shown that this lack of real-world
testing of the effectiveness of security controls is
one of the major problems facing not just the Commerce
Department, but the Federal government as a whole.
lack of attention to cyber security is reflected by
the lack of resources devoted to this purpose. At Commerce,
for example, the Department's Office of Information
Technology Security -- which is responsible for setting
the Department's computer security policies and conducting
oversight to ensure compliance by the various bureaus
-- was a one-person operation up until March 2000, when
the director of this office was given two interns to
assist with these important functions. I am pleased
to hear that Secretary Evans recently approved a re-direction
of additional personnel and funding for this office,
which in addition to computer security is also responsible
for the Department's overall critical infrastructure
certainly is time - indeed, it is well past time - for
the Commerce Department to start taking the security
of its data systems seriously, much more so than it
was under the previous Administration. In the 21st century,
effective computer security is as much a part and cost
of doing business as having locks on the front door
was during previous centuries. And we will continue
our oversight in this area until Commerce and the other
Federal agencies under our jurisdiction get this message
loud and clear.
to welcome and thank our witnesses for testifying today
on this important topic, and will now recognize the
Ranking Member for an opening statement.