U.S. attorneys' offices wide open to hackers, GAO says

Computerworld - WASHINGTON -- A government report released Aug. 12 cites years of IT security negligence at the U.S. Department of Justice office responsible for the day-to-day support of the nation's 93 U.S. attorneys' offices.
In a General Accounting Office audit completed July 25, congressional investigators discovered that the Executive Office for United States Attorneys (EOUSA) operated a virtual private network (VPN) between its various offices and the Justice Department's main data center in Rockville, Md., without ever conducting a risk assessment before its replacement in July. In addition, a lack of staffing and resources meant that firewall logs have been ignored and weren't even activated until recently at 240 office locations.
The GAO report also said that no intrusion-detection system had been deployed to monitor the organization's wide-area network.
The EOUSA was established in 1953 as a component of the Justice Department to provide general executive assistance and administrative and operational support to the 93 U.S. attorneys' offices throughout the 50 states, the District of Columbia, Guam, the Marianas Islands, Puerto Rico and the U.S. Virgin Islands. One of EOUSA's key responsibilities is managing IT resources for the U.S. attorneys' offices, including annual IT budget submissions and the acquisition and maintenance of IT assets for the offices.
The Justice Department couldn't be reached for comment today.
However, in an official response to the GAO, Guy Lewis, director of the EOUSA, disagreed with the report's findings on security.
"EOUSA has one of the strongest security programs within the Department of Justice and perhaps the federal government," wrote Lewis. He also said that since the establishment of a CIO position in January 2001 and an expansion of its IT security staff, the EOUSA has undertaken numerous security initiatives, including deployment of one of the largest intrusion-detection systems in the department, certification and accreditation for more than eight systems, deployment of virus protection software and real-time encryption for all laptops and handheld devices, and penetration testing and vulnerability assessments.
"The Department of Justice inspector general conducted a security audit of several [assistant U.S. attorneys' offices] last year, and they found 10 vulnerabilities in those offices," said Lewis. "All but one of those findings have been resolved, the last being related to our updated VPN and review of the audit logs."
According to Lewis, it didn't make sense to invest in a timely and costly risk assessment of the old VPN because it was scheduled to be replaced at the end of last month.