According to a congressional report released by the U.S. General Accounting Office Tuesday, only
three percent of the government Web sites surveyed meet with current
proposed privacy standards.
The GAO report reviewed Web content of 24 major federal agencies including
some 65 government Web sites. Only three percent of the Web sites surveyed,
or about two sites, passed the GAO’s security and privacy tests.
Joel Willemssen, director of civil agencies information and author of the
GAO report, said in a statement that privacy concerns and security risks
abound at government Web sites.
“At 21 of the 24 agencies, we identified problems in the area of security
program management fundamental to the effectiveness privacy protections,”
Willemssen said.
The GAO’s security program management review covered a range of activities
related to understanding information security risks, including selecting
and implementing security controls and ensuring that controls, once
implemented, continue to operate effectively.
House Majority Leader Dick Armey
(R-TX) blamed the White House
Administration for failing to execute on implementing “fair information
principles”, as proposed by the Federal
Trade Commission.
“The GAO report is a devastating assessment of the Clinton-Gore
Administration’s failure to live by its own privacy standards,” Armey said.
“People with glass Web sites should not throw stones. Since only three
percent of the Administration Web sites met all four FTC privacy criteria,
perhaps the government could take a few lessons from the private sector.”
In a statement from the White House, a representative disputed the report
as misleading because the FTC’s privacy guidelines were not designed to
apply to U.S. agencies.
What unnerves people on and offline is that the report included frightening
reviews of who has access to data collected at the U.S. Department of the Treasury, which
operates Web sites for the Internal Revenue
Service, the Bureau of Alcohol,
Tobacco & Firearms, and the U.S. Customs Service, among other
federal agencies and bureaus.
Rep. Armey said he is deeply concerned about how the federal government
collects and stores vast amounts of personal information about you and me.
“You are required to personal information to the government, you have no
choice,” Armey said. “You don’t have an option to use a commercial website
if you feel the government has a bad privacy policy. Which worries you
more? The IRS disclosing your personal financial information or the GAP.com
knowing how many pairs of jeans you’ve bought this year?”
Armey added that it is critical for the government to restore confidence in
the federal government’s ability to protect citizens personal information.
“I think the government should start worrying about whether it really
should be maintaining so much information on its citizens,” Armey said.
“That would be one positive step toward to protecting our privacy.”
The GAO first started reviewing federal computer and security systems in
September 1996. Not much has changed since it first announced that federal
computer security systems are fraught with weaknesses and that critical
operations and government assets are at risk.
Willemssen said previous analyses have shown that federal computer systems
were not adequately protecting their networks that process, store, and
transmit enormous amounts of sensitive personal data.
“In September 1996, we reported that serious weaknesses had been found
at
10 of the largest 15 federal agencies,” Willemssen said. “In that report we
concluded that poor information security was a widespread federal problem
with potentially devastating consequences. In our 1997 and 1999 reports to
the Congress, we identified information security as a high-risk issue.”
For most agencies, the weaknesses reported covered a full range of computer
security controls. Specifically, security program planning and management
were inadequate. Physical and logical access controls also were not
effective in preventing or detecting system intrusions and misuse.
In addition, software change controls were ineffective in ensuring that
only properly authorized and tested software programs were implemented.
Finally, sensitive operating system software was not adequately controlled,
and adequate steps had not been taken to ensure continuity of computerized
operations.
The report recommend that each federal agency surveyed needs to set up
stringent management procedures and an organizational framework for
identifying and assessing risks. Once policies and controls are decided,
the federal agencies in question need to periodically evaluate the
effectiveness of security systems.
In addition to problems stemming from outside threats to federal computer
systems through well publicized e-mail viruses and denial of service
attacks, the GAO report cited many examples of how lax security systems
create a threat from within by government employees.
At one agency, all 1,100 users were granted access to sensitive system
directories and settings that could alter sensitive personal data. At
another agency, 20,000 users had been provided access to one system without
written authorization. At yet another agency, system support personnel had
the ability to change data in the system audit log. As a result, they could
not only engage in a wide array of inappropriate activity, they could also
delete related segments of an audit log to cover their tracks and diminish
the likelihood that their actions would be detected.
The GAO found that simple security procedures like password protection and
updating were not in place at most federal Web sites. Also, few federal
agencies had a stringent timelines to removing access permissions of former
employees.
Willemssen said there are many specific causes of security weaknesses, but
an underlying problem is poor security program management and poor
administration of available control techniques. He added that federal
agencies need to do more to shore-up security risks and protect the privacy
of American citizens.
“We and agency inspectors general have made scores of recommendations to
agencies regarding specific steps they should take to make their security
programs more effective,” Willemssen said. “Most agencies have heeded these
recommendations and taken at least some corrective actions. However, more
needs to be done.”