EPA’s computer “security” system still a mess

Published May 1, 2000

Enterprising hackers looking for a way to loot trade secrets, compromise law enforcement procedures, or assist foreign intelligence agencies in carrying out economic espionage used to have it good. All they had to do was raid the U.S. Environmental Protection Agency’s computer system.

According to the General Accounting Office (GAO), EPA’s computer operations are so “riddled with security weaknesses” that all of the above–and so much more–was just a few keystrokes away.

The situation got so bad that in February House Commerce Committee Chairman Thomas Bliley (R-Virginia) forced EPA Administrator Carol Browner to temporarily shut down the agency’s Web site to prevent potential mischief-makers from penetrating its loophole-ridden computer network.

Bliley demanded that Browner pull the plug after the GAO reported the agency’s computer systems were “highly vulnerable to tampering, disruption, and misuse” and that “EPA cannot ensure the protection of sensitive business and financial data maintained on its larger computer systems or supported by the agencywide network.”

It is this sensitive information–and EPA’s cavalier attitude toward protecting it–that is at the root of the unfolding computer security scandal at EPA.

The agency’s databases contain two types of information, one “public” and one “private.” Using the Internet, the public can readily access information on a variety of environmental programs at EPA, and millions do each month.

That’s not supposed to be the case with the “private” data stored at EPA. These include confidential business information (CBI), such as the exact chemical formulas of products and which chemicals are used at each stage of a manufacturing process. Companies are required to provide the agency with this information, and do so with the assurance that these trade secrets will not fall into the hands of competitors. Other data not meant for public consumption include “worst-case-scenario” information showing the potential effects of chemical accidents or acts of industrial terrorism in local communities. In light of what the GAO has uncovered, hundreds of millions of dollars worth of proprietary information, together with some of the nation’s most sensitive law enforcement information, appears to be at risk. What’s more, the problem has been festering for years. Repeated warnings of dire consequences by experts within and outside the agency have been largely ignored.

“Of particular concern,” the GAO pointed out, “is that many of the most serious weaknesses we identified–those related to inadequate protection from intrusions via the Internet and poor security planning–had been previously reported to EPA management in September 1997 by EPA’s Inspector General (IG).” The IG reported six hacker penetrations between 1992 and 1996; EPA had been unaware of four of them until alerted by outside parties, including the FBI and the Secret Service.

Having for years given little more than lip service to fixing its computer security problems, EPA now faces the daunting task of cleaning up a very ugly act. Sources at EPA say it will take months for the agency to construct a computer security system worthy of the name.

The GAO has evaluated the security safeguards of computer systems at 24 federal agencies. It ranked EPA’s 24th. This last-place finish is a grim reminder to companies just how vulnerable to theft their trade secrets have been.

Bonner Cohen is a senior fellow at the Arlington, Virginia-based Lexington Institute.