A federal Inspector General has released a harsh assessment of an agency that has repeatedly failed to improve computer security even after suffering a hacking attack.
The Inspector General of the Federal Election Commission today issued an independent audit report on the agency’s Fiscal Year 2013 Fiscal Statements. The audit identified a significant deficiency in internal controls related to Information Technology security. The audit disclosed one instance of noncompliance with The Homeland Security Presidential Directive 23, and National Security Presidential Directive 54, Cyber Security and Monitoring, establishing the Comprehensive National Cyber Security Initiative, and relating to Initiative No. 1, Manage the Federal Enterprise Network as a Single Enterprise with a Trusted Internet Connection (TIC).
Major findings included (1) Failure to develop a strong IT security program places FEC at high risk of continued network intrusions, and (2) Oversight and monitoring of IT Corrective Actions are ineffective.
The audit also highlighted the “Refusal to adopt Government-wide IT controls increased risks of intrusions.” The audit identified a May 2012 network intrusion by an Advanced Persistent Threat (APT). For approximately eight months one of the Commissioner’s user accounts contained malware with the potential for a computer hacker to access and obtain copies of confidential compliance cases, General Counsel’s reports and briefs, subpoenas, agency review processes, compliance criteria matters, and other sensitive FEC documentation. The audit pointed out that after an outside contractor had suggested numerous corrective steps in October 2012, almost one year after the report was issued, the FEC “had not yet implemented any significant portion of the contractor’s recommendations.”
Other intrusions identified happened in August 2013, and again in early FY 2014 (i.e., after October 1, 2013).
Although the IG report indicated the new independent auditor report contains recommendations to address deficiencies found by the auditors, the FEC management generally occurred with only “some of the findings and recommendations.” The FEC is to prepare a corrective action plan.
The report stops short of placing primary blame for the security lapses on the staff, the Commissioners, or both. But the report is clear that the problems still exist.