Report says EPA computers are vulnerable

WASHINGTON (AP) -- The Environmental Protection Agency's computer system is "riddled with security weaknesses" to a point that the agency cannot assure protection of its most sensitive information,

Thursday, February 17th 2000, 12:00 am

By: News On 6

WASHINGTON (AP) -- The Environmental Protection Agency's computer system is "riddled with security weaknesses" to a point that the agency cannot assure protection of its most sensitive information, a congressional audit report said Thursday.

The EPA has acknowledged security problems with its wide-reaching computer system, but said the security gaps have been, and are being corrected. Nevertheless, it temporarily shut down its Internet Web site because of concern about potential cyber attacks.

"The recent public attention brought to the agency's potential computer vulnerabilities made EPA a likely target for hackers," said the agency in a statement. It was not clear how long the Web site will be out of commission.

Rep. Thomas Bliley, R-Va., who has sharply criticized the EPA's computer security practices, on Thursday released a 15-page report by the General Accounting Office that sharply criticizes the agency's computer protection practices.

The EPA's own records, the report said, "show several serious computer security incidents in the last two years that have resulted in damage and disruption of agency operations.

The EPA computers, which hold everything from confidential information about companies involved in regulatory actions to
publicly available statistics on air pollution levels, are "highly vulnerable to tampering, disruption, and misuse," the GAO report
said.

Among the incidents cited were ones in which an intruder used an EPA computer to gain unauthorized access to state university
computers; a case where "a chat room was set up ... for hackers to post notes" and a case where an outsider allegedly gained access to an EPA computer and altered EPA employee access codes.

These incidents occurred over two years beginning in 1998, the GAO said. The report said the EPA security problems stemmed in part from poor password protection, operating systems that allowed unimpeded movement through the system and "firewalls" that were
ineffective against sophisticated hacking.

EPA spokesman David Cohen said that the agency for some time has been aware of the GAO's findings and has worked with the
congressional auditors for several months to improved security of the EPA computer system. "We will do whatever is necessary to
ensure computer security," said Cohen.
"Congressman Bliley is fully aware that we've been working with his committee and GAO to enhance our computer security," said Kim
Ruby, another EPA official.

The EPA's Web site contains a vast array of public data from statistics on air pollution to the amount of toxic chemicals a company releases into a community and pollution levels in lakes and streams.

But congressional auditors raised concern about the agency's broader computer system that contains information not publicly
available from financial data to proprietary commercial data used in developing regulations and standards.

The review "found serious and pervasive problems that essentially render EPA's agencywide information security program
ineffective," said the GAO report. "...Moreover EPA cannot ensure the protection of sensitive business and financial data maintained by its larger computer systems or supported by its agency-wide network."

Bliley in a statement applauded EPA Administrator Carol Browner's decision to shut down its Internet connection late Wednesday, but accused her of inaction on security matters over the years. He said it was "unfortunate" that publicly available information would not be available for a period of time.