Federal computer systems remain wide open to malicious attacks and unauthorized entries, a new study from the General Accounting Office said.
The report – an annual review – found serious security weaknesses in computers run by the Department of Commerce, the Department of Defense, the Department of Health and Human Services, the Department of the Interior and the Internal Revenue Service.
“Although the nature of agency operations and risks vary, striking similarities remain in the specific types of . . . weaknesses reported and in their serious negative impact on an agencys ability to ensure the integrity, availability and appropriate confidentiality of its computerized operations,” the report said.
The report reprimands the government for poor security management, weak user access controls, and inadequate software development and continuity controls. Federal agencies were also criticized for not adequately separating users access to unrelated areas of their departmental systems.
The GAO also tested agency computer access protocols and found most cyberlocks easily picked.
“Our auditors have been successful, in almost every test, in readily gaining unauthorized access that would allow both internal and external intruders to read, modify or delete data,” the report said.
The report characterized the efforts of the National Infrastructure Protection Center, the nations chief cybercrime investigative arm, as “mixed.” The center received good marks for computer investigations, but was found lacking in cooperation with private-industry security groups.
“Of the four Information Sharing and Analysis Centers that had been established as focal points for infrastructure sectors, a two-way information sharing partnership with the NIPC has developed with only one: the electric power industry,” the report said.
The GAO also said the NIPC has been hobbled by the lack of a standard methodology for categorizing and acting on cyberthreats.
Few of the weaknesses outlined by the GAO are new. The accounting office has consistently criticized the governments computer security preparedness since 1996.