Mr. Chairman and Members of the Committee:

We are pleased to be asked to discuss our work in computer security. As requested, our testimony will focus on the results of our recent reviews of the Department of State and the Federal Aviation Administration (FAA). Significant computer security weaknesses at both these organizations threaten the integrity of their operations, and we have made numerous specific recommendations for improving State and FAA's information security posture. Unfortunately, such weaknesses are typical at most federal agencies we evaluate. However, good management practices and organizational discipline can do much to mitigate the risks all government agencies face from security threats. Accordingly, we will also highlight best practices we have identified in studying leading organizations that can be used by all agencies to protect sensitive information and computer systems.

COMPUTER SECURITY IS AN INCREASINGTHREAT TO CRITICAL GOVERNMENT OPERATIONS

The dramatic increase in computer interconnectivity and the popularity of the Internet are offering government agencies unprecedented opportunities to improve operations by reducing paper processing, cutting costs, and sharing information. At the same time, however, malicious attacks on computer systems are increasing at alarming rates and are posing serious risks to key government operations. Thus, the ultimate success of agencies' ability to use interconnected systems to carry out critical governmental functions depends in large part on their ability to protect the integrity, privacy, and availability of the data and systems they rely upon.

This Committee has long been concerned about the need to protect sensitive information in federal computer systems. These concerns are well-founded. At the request of you, Mr. Chairman, and Senator Glenn, we have undertaken a large body of work to address the issue, including reviews of most of the federal government's largest departments' and agencies' computer security programs. In conjunction with our financial statement audit focus and high-risk reviews, this work has revealed a disturbing picture of our government's lack of success in protecting federal assets from fraud and misuse, sensitive information from inappropriate disclosure, and critical operations from disruption. For example:

In May 1996, we reported that computer hackers had penetrated Defense computer systems; obtained and corrupted sensitive information; shut down and crashed entire systems and networks; and denied service to users who depend on automated systems to help meet critical missions, including weapons and supercomputer research, logistics, procurement, and military health. Our recommendations focused on the need for Defense to assign clear responsibility and accountability for the successful implementation of its security program; improve its security policies and procedures; increase security awareness; and implement more proactive technical protection and monitoring systems.⁽¹⁾

In September 1996, we reported that, over the previous 2 years, serious weaknesses had been reported for 10 of the largest federal agencies, concluding that poor information security was a widespread federal problem with potentially devastating consequences.⁽²⁾ In that report, we recommended that OMB play a more proactive role in overseeing agency practices and managing improvements, in part through its role as chair of the Chief Information Officers (CIO) Council.

In February 1997, we identified information security across all government agencies as a high-risk area. We found management and system controls to be largely inadequate leaving critical operations at many agencies highly vulnerable to unauthorized access.⁽³⁾

In three 1997 reports, we identified a wide range of continuing serious weaknesses in IRS systems, including inadequate controls over employee browsing of taxpayer records.⁽⁴⁾

In March 1998, in our report on the federal government's consolidated financial statements, we emphasized that pervasive computer control weaknesses were placing enormous amounts of federal assets at risk of fraud and misuse, financial information at risk of inappropriate disclosure, and critical operations at risk of disruption.⁽⁵⁾

Also at your request, we are currently (1) examining computer security programs at other selected agencies including the National Aeronautics and Space Administration, (2) developing a comprehensive and detailed analysis of information security problems at the largest federal agencies, and (3) producing an updated summary of actions taken by OMB and the CIO Council to address these problems from a governmentwide perspective.

Today, the Committee is releasing the redacted versions of our reports on computer security at State and FAA.⁽⁶⁾ These reviews resulted in many findings that are too sensitive to discuss in today's open setting and, accordingly, detailed reports have been provided to this Committee and to appropriate agency officials under separate cover. However, we will describe the types of weaknesses found and the risks they posed to critical systems and information.

PERVASIVE COMPUTER SECURITY WEAKNESSES

THREATEN STATE DEPARTMENT OPERATIONS

Last year, this Committee asked us to assess whether the State Department's unclassified automated information systems were susceptible to unauthorized access. State relies on a variety of decentralized information systems and networks to help it carry out its responsibilities and support business functions, such as personnel, financial management, medical, visas, passports, and diplomatic agreements and communications. The data stored in these systems, although unclassified, are sensitive enough to be attractive targets for individuals and organizations seeking monetary gain or desiring to learn about or damage State operations. For example, much of this information deals with employees working for the department and includes American and Foreign Service National personnel records, employee and retiree data, and private health records. Background investigation information about employees being considered for security clearances is also processed on State's unclassified network.

The potential consequences of misuse of this information are of major concern. For example, unauthorized deletion or alteration of data could enable known criminals, terrorists, and other dangerous individuals to enter the United States. Personnel information concerning approximately 35,000 State employees could be useful to foreign governments wishing to build personality profiles on selected employees. Manipulation of financial data could result in over- or underpayments to vendors, banks, and individuals, and inaccurate information being provided to agency managers and the Congress. Furthermore, the overseas activities of other federal agencies may be jeopardized to the extent they are supported by State systems.

To determine State's vulnerability to computer attacks, we tested the department's technical and physical controls for ensuring that data, systems, and facilities are protected from unauthorized access. We designed our tests to simulate two security penetration scenarios: (1) an unauthorized individual who has no knowledge of State's automated information infrastructure (for example, a hacker or terrorist organization) and (2) a mid-level internal user with limited access privileges and some specific computer related information (for example, a State employee) exceeding his or her limited privileges.

In simulating these scenarios, we wanted to know whether an unauthorized user could compromise--that is, improperly access, modify, disclose, or destroy--sensitive data if he or she successfully penetrated State's computer resources. During our testing, we performed controlled penetration attacks at dial-in access points, internal network security controls, the department's Internet gateways, and public information servers. We also attempted to gain unauthorized physical access to certain State facilities and assessed users' awareness by attempting to get them to reveal sensitive information such as their passwords. Such techniques, sometimes referred to as social engineering, can be used by attackers to easily bypass an organization's existing physical and logical security controls.

Unfortunately, our penetration tests were largely successful. They demonstrated that State's computer systems and the information contained within them are very susceptible to hackers, terrorists, or other unauthorized individuals seeking to damage State operations or reap financial gain by exploiting the department's information security weaknesses. For example, without any passwords or specific knowledge of State's systems, we successfully gained access to State's networks through dial-in connections to modems. Having obtained this access, we could have modified, stolen, downloaded, or deleted important data, shut down services, and monitored network traffic such as e-mail and data files.

In addition, by posing as a trusted inside computer user, we were able to circumvent State's internal network security controls and access information and sensitive data which would normally be off-limits to most employees. For example, after we gained (administrator) access⁽⁷⁾ to host systems on several different operating platforms, such as UNIX and Windows NT, we viewed international financial information, travel arrangements, detailed network diagrams, a listing of valid users on local area networks, employees' e-mail, performance appraisals, and other sensitive data.

Our tests also showed that security awareness among State employees was problematic. For example, many computer users at State had weak passwords that were easily guessed, indicating that they were unaware of, or insensitive to, the need for secure passwords. One way to prevent password guessing is to ensure that users choose complex passwords such as those composed of alphanumeric, upper- and lower-case characters. However, we found no evidence that State was training its users to employ these techniques. We also found little evidence that State was training its users to refrain from disclosing sensitive information. For example, we called a user under the pretense that we were systems maintenance personnel and were able to convince her to disclose her password.

We also obtained access to State's networks by breaching physical security at one facility, and finding user account information and active terminal sessions in unattended areas. For example, in several instances we were able to enter a State facility without required identification. In an unlocked office, we found unattended personal computers logged onto a local area network. We also found a user identification and password taped to one of the computers. Using these terminals, we were able to download a file that contained a password list. This list could have been used later to help hack into State's systems. In another unlocked area, we were able to access the local area network server and obtain supervisor-level access to a workstation, which would have allowed us to even more easily circumvent controls and hide any traces of our activities.

Internet security was the only area in which we found that State's controls were currently adequate. We attempted to gain access to internal State networks by going through and around State's Internet gateways or exploiting information servers from the outside via the Internet, but we were not able to gain access to State's systems. State's protection in this area was adequate, in part, because the department currently limits use and access to the Internet. However, State officials have been requesting greater Internet access and the department is considering various options for providing it.

Expansion of Internet services would provide more pathways and additional tools for an intruder to attempt to enter unclassified computer resources and therefore increase the risk to State systems. Recognizing this, State conducted an analysis of the risks involved with increasing Internet use. However, the department has not yet decided to what extent it will accept and/or address these new risks. Until it does so, State will not be in a good position to expand its Internet use.

The primary reason why our penetration tests were successful is that State, like many federal agencies, lacks the basic building blocks necessary to effectively manage information security risks. First, State did not have a central focal point to oversee and coordinate security activities. Computer security responsibilities were fragmented among three organizations--the Chief Information Office, Diplomatic Security, and Information Management--none of which had the authority to effect necessary changes. Second, State did not routinely perform risk assessments so that its sensitive information could be protected based on its sensitivity and criticality to mission-related operations. Third, the department's primary information security policy document was incomplete. Fourth, State was not adequately ensuring that computer users were fully aware of the risks and responsibilities of protecting sensitive information. Fifth, the department did not routinely monitor and evaluate the effectiveness of its security programs, and it did not established a robust incident response capability.

A key reason why these critical elements of security were not in place was that top managers at State had not demonstrated a commitment to establishing a comprehensive and effective information security program. For example, even though State had reported mainframe computer security to the President and the Congress as a material weakness under the Federal Managers' Financial Integrity Act for the past 10 years,⁽⁸⁾ the problem had not yet been corrected. In addition, information security had often been assigned to low- and mid-level State employees as a collateral duty. Finally, State's top managers had still not developed a comprehensive security plan or ensured that appropriate resources were devoted to improving computer security.

In our report being released today, we recommended that State take a number of actions to address these weaknesses to improve its information security posture. For example, we recommended that the Secretary of State:

establish a central information security unit with responsibility for facilitating, coordinating, and overseeing departmental information security activities;

develop and maintain an up-to-date security plan;

develop policies and procedures that require senior State managers to evaluate the risks to their sensitive information and systems and determine appropriate solutions;

assign the CIO the responsibility and full authority for ensuring that the information security policies, procedures, and practices of the agency are adequate; and

defer expansion of Internet usage until State addresses known vulnerabilities and provides appropriate security measures commensurate with risks associated with the planned level of Internet expansion.

In addition, we provided State with dozens of suggested solutions to mitigate the specific weaknesses that our tests identified.

We are pleased to report that in concurring with our recommendations, State identified a number of actions it is beginning to take to strengthen its information security program. For example, State advised us that its Chief Information Officer is beginning to address the lack of a central focus for information systems security by establishing a Security Infrastructure Working Group. State also agreed to formalize and document risk management decisions, revise provisions of the Foreign Affairs Manual related to information security, and undertake an evaluation of one of its most significant networks based on our review. Furthermore, State said it is implementing a plan to correct the technical weaknesses identified during our testing. However, State did not agree with our recommendation to defer expansion of Internet use until the department addresses known vulnerabilities. In explaining its nonconcurrence, State asserted that expanding Internet usage is a priority and that the department has a plan to mitigate the risks of expansion.

FAA'S WEAK COMPUTER SECURITY PRACTICES JEOPARDIZE FLIGHT SAFETY

Given the paramount need to ensure safe air travel, this Committee also asked us to review FAA's computer security program. FAA's air traffic control (ATC) computer systems provide information to air traffic controllers and aircraft flight crews to ensure safe and expeditious movement of aircraft. Failure to adequately protect these systems, as well as the facilities that house them, could cause nationwide disruptions of air traffic or even loss of life due to collisions.

To determine whether computer security at FAA is effective, we were asked to assess (1) whether FAA was effectively managing physical security at ATC facilities, (2) whether FAA was effectively managing systems security for its current operational systems, (3) whether FAA was effectively managing systems security for future ATC modernization systems, and (4) the effectiveness of its management structure and implementation of policy for computer security. We elected not to perform penetration testing at FAA because, in the early phases of our work, we already had (1) identified serious deficiencies in each of the areas we reviewed, (2) found evidence of ATC systems that had been penetrated and critical ATC data compromised, and (3) determined that FAA had planned to conduct its own penetration tests on select ATC systems.

We found that FAA was not effectively managing physical security at ATC facilities. Known weaknesses exist at many facilities. For example, at one facility, an FAA inspection report disclosed that service contract employees were given unrestricted access to sensitive areas without having appropriate background investigations. FAA's assessment of another facility that controls aircraft concluded that access control procedures were weak to nonexistent and that the facility was extremely vulnerable to criminal and terrorist attacks. Furthermore, we found that FAA did not know if other facilities were similarly vulnerable because it had not assessed the physical security controls at 187 facilities since 1993.

FAA also was ineffective in managing systems security for its operational systems and was in violation of its own policy. A review conducted for FAA's Office of Civil Aviation Security in October 1996 by the Volpe National Transportation Systems Center⁽⁹⁾ concluded that FAA had performed the necessary analysis to determine system threats, vulnerabilities, and safeguards for only 3 of 90 operational ATC computer systems, or less than 4 percent.⁽¹⁰⁾ FAA officials told us that this was an accurate depiction of the current state of operational systems security. In addition, only one of the nine operational ATC telecommunications networks had been analyzed. Such poor security management existed despite the fact that FAA's 1994 Telecommunications Strategic Plan stated that "vulnerabilities that can be exploited in aeronautical telecommunications potentially threaten property and public safety." FAA's 1997 Telecommunications Strategic Plan continued to identify security of telecommunication systems as an area in need of improvement. Without knowing the specific vulnerabilities of its ATC systems, FAA cannot adequately protect them.

FAA claimed that because current ATC systems often utilize custom-built, 20-year-old equipment with special purpose operating systems, proprietary communication interfaces, and custom-built software, the possibilities for unauthorized access are limited. While these configurations may not be commonly understood by external hackers, one cannot assume that old or obscure systems are, a priori, secure. In addition, the certification reports that FAA has done revealed operational systems vulnerabilities. Furthermore, archaic and proprietary features of the ATC system provide no protection from attack by disgruntled current and former employees who understand them.

Additionally, FAA had not been effectively managing systems security for future ATC modernization systems. FAA had no security architecture, security concept of operations, or security standards. As a result, implementation of security requirements across ATC development efforts was sporadic and ad hoc. Of the six current ATC system development efforts that we reviewed, four had security requirements, but only two of the four developed their security requirements based on a risk assessment. Without security requirements based on sound risk assessments, FAA cannot effectively protect future ATC systems from attack. Further, with no security requirements specified during systems design, any attempts to retrofit security features later will be increasingly costly and technically challenging.

As FAA modernizes and increases system interconnectivity, ATC systems will become more vulnerable, placing even more importance on FAA's ability to develop adequate security measures. These future vulnerabilities are well documented in FAA's information security mission need statement and also in reports completed by the President's Commission on Critical Infrastructure Protection. The mission need statement asserts that "information security is the FAA mission area with the greatest need for policy, procedural, and technical improvement. Immediate action is called for to develop and integrate information security into ATC systems." The President's Commission summary report concluded that the future ATC architecture appeared to have vulnerabilities and recommended that FAA act immediately to develop, establish, fund, and implement a comprehensive systems security program to protect the modernized ATC system from information-based and other disruptions, intrusions, and attacks. It further recommended that this program be guided by the detailed recommendations made in the National Airspace Systems vulnerability assessment.

Finally, FAA's management structure and implementation of policy for ATC computer security was not effective. Security responsibilities were distributed among three organizations, all of which have been remiss in their ATC security duties. The Office of Civil Aviation Security was responsible for developing and enforcing security policy, the Office of Air Traffic Services was responsible for implementing security policy for operational ATC systems, and the Office of Research and Acquisitions was responsible for implementing policy for ATC systems that are being developed. The Office of Civil Aviation Security had not adequately enforced FAA's policies that require the assessment of physical security controls at all ATC facilities and vulnerabilities, threats, and safeguards for all operational ATC computer systems. In addition, the Office of Air Traffic Services had not implemented FAA policies that require it to analyze all ATC systems for security vulnerabilities, threats, and safeguards. Finally, the Office of Research and Acquisitions had not implemented the FAA policy that requires it to formulate requirements for security in specifications for all new ATC modernization systems.

FAA recently established a central security focal point, the National Airspace Systems Information Security (NIS) group, to develop additional security guidance (i.e., a security architecture, a security concept of operations, and security standards), to conduct risk assessments of selected ATC systems, to create a mechanism to respond to security incidents, and to provide security engineering support to ATC system development teams. This group has developed an action plan that describes each of its improvement activities, but it has not developed detailed plans or schedules to accomplish these tasks.

Establishing a central security focal point is a practice employed by leading security organizations. However, in order to be effective, the security focal point must have access to senior executives that are organizationally positioned to take action and effect change across organizational divisions. One approach for ensuring that a central group has such access at FAA would be to place it under a Chief Information Officer (CIO) who reports directly to the FAA Administrator. This approach is consistent with the Clinger-Cohen Act,⁽¹¹⁾ which requires that major federal departments and agencies establish CIOs who report to the department/agency head and are responsible for implementing effective information management.

FAA does not have a CIO reporting to the Administrator. Although the NIS group has access to certain key Associate Administrators (e.g., the Associate Administrator for Civil Aviation Security and the Associate Administrator for Research and Acquisitions), it does not have access to the management level that can effect change across organizational divisions, especially FAA's Administrator or Deputy Administrator. Thus, there is no assurance that the NIS group's guidance, once issued, will be adequately implemented and enforced, that results of its risk assessments will be acted upon, and that all security breaches will be reported and adequately responded to. Until existing ATC computer security policy is effectively implemented and enforced, operational and developmental ATC systems will continue to be vulnerable to compromise of sensitive information and interruption of critical services.

In our report, we recommended that FAA take a number of actions to improve its information security. For example, we recommended that FAA

develop and execute a plan to inspect the 187 ATC facilities that have not been inspected in over 4 years and correct any weaknesses identified,

correct identified physical security weaknesses at inspected facilities,

ensure that specifications for all new ATC systems include security requirements based on detailed security assessments, and

ensure the NIS group establishes detailed plans and schedules to develop a security architecture, a security concept of operations, and security standards and that these plans are implemented.

Finally, we recommended that FAA establish an effective management structure for developing, implementing, and enforcing ATC computer security policy. Given the importance and the magnitude of the information technology initiative at FAA, we expanded on our earlier recommendation that a CIO management structure similar to the department-level CIOs as prescribed in the Clinger-Cohen Act be established for FAA⁽¹²⁾ by recommending that FAA's CIO be responsible for computer security. We further recommended that the NIS group report to the CIO and that the CIO direct the NIS group to implement its plans.

In contrast to State, the Department of Transportation's response to our recommendations was disappointing. The Department only discussed its efforts for timely corrective actions pertaining to 1 of our 15 recommendations. It did not state what, if any, specific action it would take on the remaining 14 recommendations. This noncommitment is troubling considering that several of our recommendations are requesting that FAA adhere to its existing computer security policies.

LEARNING FROM LEADING ORGANIZATIONS TO FACE THE CHALLENGES IN SECURING SYSTEMS

Poor computer security is a pervasive problem across government. Security problems are often dealt with on an ad hoc basis with too little attention given to systemic issues and problems that underlie individual security lapses or breaches. Frequently, responsibility for computer security is viewed as burdensome and relegated to (1) technical staff who do not have the resources or clout to prompt improvements and/or (2) line staff who lack the training and experience necessary to fully appreciate and mitigate computer security risks.

The problem is further complicated by the complex computing environment most agencies now must have to meet their operating needs. Many agencies have a conglomeration of mainframes, PCs, routers, servers, software applications, and external connections. Because absolute protection over these complex infrastructures is not feasible, developing effective information systems security involves an often intricate set of trade-offs between the (1) type and sensitivity of the information and operations to be protected, (2) vulnerabilities of the computers and networks, (3) various threats, including hackers, thieves, disgruntled employees, competitors, and in the federal government's case, foreign adversaries and spies, (4) countermeasures available to combat the problem, and (5) costs. In making these trade-offs, agencies must understand the information security risks to their operations and assets, decide what they are going to do to defend themselves, and determine what risks they are willing to accept.

We have found that many problems contribute to agencies' difficulties in successfully balancing the trade-offs necessary to establish effective computer security. However, an underlying factor is that senior agency officials have not established a framework for managing the information security risks associated with their operations. To better determine how leading organizations handled these trade-offs, we undertook a comprehensive study--at this Committee's request--of eight organizations with superior security programs. These organizations--regardless of business type, size, or management structure--had one overriding tenet: business "owners," not security experts, assumed both responsibility and accountability for computer security. At the same time, however, security specialists played a strong educational and advisory role and had the ability to elevate discussions to higher management levels when they believed that risks were not being adequately addressed.

The organizations we studied managed their information security risks by implementing a continuing cycle of monitoring business risks, maintaining policies and controls, and monitoring operations. This cycle of activity parallels the process associated with managing the controls associated with any type of program. As illustrated in the figure below, all of these activities are coordinated through a central management office or group who served as consultants and facilitators to individual business units and senior management.

Figure 1: Risk Management Cycle

Each element of the risk management cycle, in turn, has a number of individual practices which these organizations followed to minimize risk.

Figure 2: Sixteen Practices Employed by Leading Organizations to Implement the Risk Management Cycle































We are pleased that the Committee is releasing the executive guide, which summarizes the results of our study, today.⁽¹³⁾ We are equally pleased that the CIO Council has also endorsed our executive guide and the 16 practices followed by leading organizations. We are working with the Council and the Office of Management and Budget to encourage agencies to adopt these practices as additional guidance that can be used to enhance the government's ability to protect federal assets from fraud and misuse, inappropriate disclosure of sensitive information, and disruption of critical operations. And, of course, we are continuing our work for this Committee to review agency computer security programs and to identify solutions that target the underlying causes of security weaknesses. We are also working with the CIO Council to develop improved risk assessment practices and methodologies and have planned a significant amount of work in this area over the next 3 years.

-- -- -- -- --

This completes our testimony.

(511646)

1. Information Security: Computer Attacks at Department of Defense Pose Increasing Risks (GAO/AIMD-96-84, May 22, 1996).

2. Information Security: Opportunities for Improved OMB Oversight of Agency Practices (GAO/AIMD-96-110, September 24, 1996).

3. High-Risk Series: Information Management and Technology (GAO/HR-97-9, February 1997).

4. IRS Systems Security: Tax Processing Operations and Data Still at Risk Due to Serious Weaknesses (GAO/AIMD-97-49, April 8, 1997); Financial Audit: Examination of IRS' Fiscal Year 1996 Administrative Financial Statements (GAO/AIMD-97-89, August 29, 1997); Financial Audit: Examination of IRS' Fiscal Year 1996 Custodial Financial Statements (GAO/AIMD-98-18, December 24, 1997).

5. Financial Audit: 1997 Consolidated Financial Statements of the United States Government (GAO/AIMD-98-127, March 31, 1998).

6. Computer Security: Pervasive, Serious Weaknesses Jeopardize State Department Operations (GAO/AIMD-98-145, May 18, 1998) and Air Traffic Control: Weak Computer Security Practices Jeopardize Flight Safety (GAO/AIMD-98-155, May 18, 1998).

7. Also known as "superuser" access, obtaining this access level permits total control of a system's operations and security functions. With system administrator rights, one can start up and shut down a system; add and remove system users; install or delete system software; and read, modify or delete all system data.

8. The Federal Managers' Financial Integrity Act: 1996 Report to the President and the Congress (United States Department of State, December 1996).

9. The John A. Volpe National Transportation Systems Center, located in Cambridge, Massachusetts, is a federal government organization whose principal role is to serve as a national center for transportation and logistics expertise. It provides research, management, and engineering support to the U.S. Department of Transportation, other federal agencies, and state and local governments.

10. Volpe Transportation Systems Center NAS AIS Security Review, Final Report, October 1, 1996.

11. The 1996 Clinger-Cohen Act, Public Law No. 104-106, section 5125, 110 Stat. 684 (1996).

12. Air Traffic Control: Complete and Enforced Architecture Needed for FAA Systems Modernization (GAO/AIMD-97-30, Feb. 3, 1997) and Air Traffic Control: Immature Software Acquisition Processes Increase FAA System Acquisition Risks (GAO/AIMD-97-47, Mar. 21, 1997).

13. Executive Guide: Information Security Management: Learning From Leading Organizations (GAO/AIMD-98-68, May 1998).

[Committee Members] [Subcommittees][Special Investigation]
[Jurisdiction] [Hearings] [Press Releases] [Sites of Interest]