EPA''s computer systems are "highly vulnerable to tampering, disruption and misuse" by both users within the agency and outside hackers, according to a report released Friday by the General Accounting Office (GAO).
The report says that despite aggressive actions by EPA to reduce the exposure of its systems and data, the computer systems are "riddled with security weaknesses."
In February, EPA shut down its Internet connection to protect sensitive confidential information that was easily accessible from the public Web site.
Since then, the agency has been conducting a security overhaul. The GAO report addresses the problems that existed before February, and investigators said that they have not yet begun to test the effectiveness of the new security controls.
GAO''s report was commissioned by Rep. Tom Bliley, R-Va., chairman of the House Commerce Committee, who requested that EPA close its Web server in February after he raised concerns that EPA did not have adequate security to protect sensitive data on the site.
During GAO tests, investigators simulated the type of attacks that might be used by an computer hacker intruding via the Internet. Investigators readily breached and took control of EPA''s firewall -- a software package that controls the content of inbound and outbound computer network traffic.
They were also able to guess many of EPA''s passwords and decrypt encrypted password files by using commonly available "password-cracking" software.
The report also detailed seven examples in 1998 and 1999 of how computer hackers successfully launched attacks against the agency.
"These weaknesses require immediate attention, and EPA has begun steps to address them," said the report. "However, like other organizations ensuring that these improvements continue to be effective and implementing a sustainable information security program will require top management support and leadership, consistent oversight, and perhaps, additional levels of technical and funding support."
In response to the report, EPA conceded to technical problems found by GAO, but affirmed its long-term plan for the security of the agency''s systems.
by Virginia Sutcliffe