Tech Law Journal

Fundamental
Weaknesses Place EPA
Data and Operations
at Risk

[begin page 1]

Abbreviations

EPA  Environmental Protection Agency
IG  Inspector General
NIST  National Institute of Standards and Technology
OEI  Office of Environmental Information
OMB  Office of Management and Budget

[begin page 2]

[begin page 3]

July 6, 2000

The Honorable Tom Bliley
Chairman
Committee on Commerce
House of Representatives

Dear Mr. Chairman:

This report responds to your August 18, 1999, request that we evaluate the Environmental Protection Agency’s (EPA) information security program. It expands on our February 17, 2000, statement, which provided our initial findings;[1] discusses EPA’s actions since mid-February to address the weaknesses we identified; and recommends needed corrective actions. On June 16, 2000, we issued a "Limited Official Use" report to you that detailed specific technical weaknesses found during our tests. Due to their sensitivity, those details are not included in this version of the report for public release.

In 1997 and again in 1999, EPA’s Inspector General (IG) reported serious inadequacies in the agency’s information security planning, control of Internet services, and monitoring of network activities as well as an absence of formal firewall technologies to protect EPA from outside intruders.[2] Your request for our evaluation was based largely on your concerns about EPA’s progress in addressing these problems. Specifically, you asked that we (1) evaluate EPA’s computer-based controls, (2) determine the extent and impact of computer security incidents at EPA, and (3) evaluate the agency’s information security program management. Our objectives, scope, and methodology are discussed in more detail in appendix I. We performed our work in accordance with generally accepted government auditing standards.

[begin page 4]

The negative effects of such weaknesses are illustrated by EPA’s own records, which show several serious computer security incidents since early 1998 that have resulted in damage and disruption to agency operations. In addition, we identified deficiencies in EPA’s incident detection and handling capabilities that limited EPA’s ability to fully understand or assess the nature of or damage due to intrusions into and misuse of its computer systems. As a result of these weaknesses, EPA’s computer systems and the operations that rely on these systems were highly vulnerable to tampering, disruption, and misuse from both internal and external sources. Moreover, EPA could not ensure the protection of sensitive business and financial data maintained on its larger computer systems or supported by its agencywide network.

Since the close of our audit in mid-February, EPA has moved aggressively to reduce the exposure of its systems and data and to correct the weaknesses we identified. These efforts, which include both short-term and long-term improvements to system access controls, are still underway, and we have not tested their effectiveness. However, EPA’s actions show that the agency is taking a comprehensive and systematic approach that should help ensure that its efforts are effective.

Sustaining these improvements in today’s dynamic computing environment will require continuing vigilance and management attention. Our review of EPA security program planning and management found that EPA’s existing practices were largely a paper exercise that had done little to substantively identify, evaluate, and mitigate risks to the agency’s data and systems. Accordingly, ensuring that corrective actions are effective on a continuing basis and that new risks are promptly identified and addressed will entail implementing significant improvements in the way EPA plans for and manages its information security program. In January 2000, EPA’s Principal Deputy Assistant Administrator for the Office of Environmental [begin page 5] Information (OEI) issued a memorandum outlining planned improvements in the way EPA centrally manages its information security program. These planned management improvements, if effectively implemented, will begin to address many of the deficiencies we identified. However, implementing them will require a major adjustment in the way EPA’s program and technical staff manage the agency’s information security risks.

We are recommending that the EPA Administrator take a number of steps to strengthen access controls associated with EPA’s major computer operating systems and agencywide network, enhance incident management efforts, and improve security program management and planning. In comments to a draft of this report, EPA concurred with our recommendations and described related corrective actions.

[begin page 6]

Computer-supported federal operations are also at risk. Our previous reports, and those of agency IGs, describe persistent computer security weaknesses that place a variety of critical federal operations at risk of disruption, fraud, and inappropriate disclosures.[3] This body of audit evidence led us, in 1997 and again in 1999, to designate computer security as a governmentwide high-risk area in reports to the Congress.[4] Our most recent summary analysis found that significant computer security weaknesses had been identified in 22 of the largest federal agencies, including EPA.[5]

How well federal agencies are addressing these risks is a topic of increasing interest in both the Congress and the executive branch. This is evidenced by recent hearings on information security, proposed legislation intended to strengthen information security, and the President’s January 2000 National Plan for Information Systems Protection.[6] As outlined in this plan, a number of new, centrally managed entities have been established and projects have been initiated to assist agencies in strengthening their security programs and improving federal intrusion detection capabilities. In addition, on March 3, 2000, in response to recent Internet disruptions, the President issued a memorandum to the heads of executive departments and agencies urging them to renew their efforts to safeguard their computer systems against denial-of-service attacks from the Internet.

EPA’s major program offices—the offices of Water; Air and Radiation; Research and Development; Solid Waste and Emergency Response; and Prevention, Pesticides and Toxic Substances—are responsible for implementing pertinent statutes, such as the Clean Air Act and the Clean Water Act. An assistant administrator heads each program office. Ten regional offices, headed by regional administrators, assist in executing the agency’s programs and determine regional needs within selected states. Also, administrative offices, including the Office of the Chief Financial Officer and OEI, headed by assistant administrators or their equivalents, support the overall mission of the agency.

EPA has spent significant time and resources to develop its information systems and computer networks to assist in carrying out its mission—reportedly $435 million and $403 million in fiscal years 1998 and 1999, respectively, for data collection and information management and technology operations and investments. The integrity and availability of the information maintained on EPA computers is important since it is used to support EPA’s analyses, research, and regulatory activities.

Because of the nature of its mission, EPA collects, oversees, and disseminates data of varying sensitivity. EPA makes much of its information available to the public through Internet access in order to encourage public awareness and participation in managing human health and environmental risks and to meet statutory requirements. EPA also maintains confidential data from private businesses, data of varying sensitivity on human health and environmental risks, financial and contract data, and personal information on its employees. Consequently, EPA’s information security program must accommodate the often competing goals of making much of its environmental information widely accessible while maintaining data integrity, availability, and appropriate confidentiality.

Like many other organizations, EPA’s computer environment has changed over the last few years from one involving a centralized mainframe with a highly controlled network to one involving many large computers on a network with nearly unlimited access, including public access through the Internet. This new environment is beneficial because it provides EPA opportunities for streamlining operations and it has provided public access to significant amounts of information. However, this increasingly [begin page 8] interconnected computing environment also significantly elevates the risks of inappropriate access to sensitive and critical data. These risks include exposing EPA computers and data to individuals with malicious or criminal intentions, who may want to disrupt or misuse EPA’s systems for purposes such as fraud, sabotage, or obtaining sensitive business or personnel data. As a result, EPA, like many other private and government organizations, faces the challenge of balancing the benefits of new technology and Internet use with the new risks such technology introduces. Because such risks cannot be completely eliminated, this balancing act requires a proactive approach to managing information security risks that is dynamic and constantly attentive to changing threats.

[begin page 9]

In short, we identified weaknesses that if exploited, could have allowed us to control individual EPA computer applications and the data used by these applications. As such, we could have copied, changed, deleted, or destroyed information, thus rendering any security controls implemented for software applications used in specific EPA office networks virtually ineffective. The most significant problems identified by our work are discussed below.

Further, in mid-February, EPA began a series of more comprehensive efforts to supplement its information security controls and ensure the effectiveness of those in place. In addition, as an interim step to reduce its risks, EPA temporarily disabled its link to the Internet and discontinued certain services and access privileges while it (1) assessed the relative criticality and sensitivity of its computer-supported operations, (2) reevaluated the agency’s and its customers’ needs for access to data, and (3) implemented strengthened controls. While we have not retested EPA controls and, therefore, cannot attest to the effectiveness of its recent improvement efforts, EPA’s actions demonstrate that it is moving in the right direction and taking a systematic, risk-based approach. Such an approach is important in helping to ensure that improvement efforts are effective and appropriate. As discussed later in this report, it is important that these efforts to strengthen technical controls be supported by improvements in the way EPA manages information security on an ongoing basis.

[begin page 11]

The records we analyzed consist primarily of security-related problem reports for 1998 and 1999 that EPA extracted for us from a computerized database maintained at its National Computer Center. By analyzing the database and related records, we identified about two dozen instances where security weaknesses were exploited and EPA systems were compromised or misused. EPA’s records, while incomplete for many incidents, show that some incidents resulted in damage, disruption, and criminal investigations. In addition, the records showed that EPA was the subject of repeated systematic probes from a variety of domestic and foreign sources. Both the nature and routine pattern of these probes are characteristic of attempts to identify vulnerabilities in EPA’s computer network. Such activity raises concerns that intruders may be preparing for future penetrations.

Some examples that illustrate the types of intrusions and misuse we identified follow. These examples were taken from EPA’s records; we did not independently investigate them. For many of the examples, we could not determine the full extent of any damage caused by the incidents or how the incidents were resolved because this information had not been documented in EPA’s records. For other examples, details cannot be publicly disclosed because the incidents are currently under investigation.

• In June 1998, EPA was notified that one of its computers was used by a remote intruder as a means of gaining unauthorized access to a state university’s computers. The problem report stated that vendor-supplied software updates were available to correct the vulnerability, but EPA had not installed them.
  
• In July 1999, a "chat room" was set up on a network server at one of EPA’s regional financial management centers for hackers to post notes and, in effect, conduct on-line electronic conversations. According to EPA, this incident was still under investigation in mid-January of this year.
  
• In February 1999, a sophisticated penetration affected three of EPA’s computers. EPA was unaware of this penetration until notified by the Federal Bureau of Investigation.
  
• In June 1999, an intruder penetrated an Internet web server at EPA’s National Computer Center by exploiting a control weakness specifically identified by EPA about 3 years earlier during a previous penetration on a different system. The vulnerability continued to exist because EPA had not implemented vendor software updates (patches), some of which had been available since 1996.

[begin page 12]

• On two occasions during 1998, extraordinarily large volumes of network traffic—synonymous with a commonly used denial-of-service hacker technique—affected computers at one of EPA’s field offices. In one case, an Internet user significantly slowed EPA’s network activity and interrupted network service for over 450 EPA computer users. In a second case, an intruder used EPA computers to successfully launch a denial-of-service attack against an Internet service provider.
  
• In September 1999, an individual gained access to an EPA computer and altered the computer’s access controls, thereby blocking authorized EPA employees from accessing files. This individual was no longer officially affiliated with EPA at the time of the intrusion, indicating a serious weakness in EPA’s process for applying changes in personnel status to computer accounts.

During our reviews of technical controls and of EPA’s security problem and incident records, we identified a number of deficiencies in EPA’s incident detection and handling capabilities.

• EPA’s capabilities for detecting intrusions and misuse were very limited. The automated detection tools EPA had implemented were not effectively deployed, and in some instances, logs of computer activities were not promptly analyzed to identify unusual or suspicious events or patterns. The effect of these limitations was illustrated by the fact that EPA did not recognize and record much of the activity associated with our test activities. While 23 problem reports were recorded, indicating knowledge about our intrusion testing, none of them recognized the magnitude of our activity or the severity of the security breaches we initiated.

[begin page 13]

• For most of the instances where security weaknesses were actually exploited, EPA had not fully documented the extent of resulting damage or disclosure. Such information is helpful in better understanding security risks and in determining how much to spend on related controls.
  
•  EPA did not routinely analyze problem reports to identify trends and vulnerabilities and apply lessons learned to other units throughout the agency.
  
• EPA did not fully follow up on problems to ensure that they were resolved and that identified vulnerabilities were not repeatedly exploited.
  
• Problem listings were not protected from browsing. Such protection is important to ensure that intruders or others cannot gain detailed information on security vulnerabilities awaiting correction or monitor the investigations of incidents that they may have originated.
  
• EPA had not established adequate standards, controls, responsibilities, and procedures to ensure uniform and complete management of security problems and responses or clearly differentiated government and contractor responsibilities.
  
• EPA had not routinely summarized and reported security problems and their resolutions to senior EPA managers so that they were aware of the magnitude of the problems and related trends.

EPA’s incident recordkeeping procedures provide a beginning for more robust incident handling and analysis practices. However, the weaknesses described above diminish the value of these records and of related follow-up activities.

The need for federal agencies to protect sensitive and critical, but unclassified, data has been recognized for years in various laws, including

[begin page 14]

the Privacy Act of 1974, the Paperwork Reduction Act of 1980, and the Computer Security Act of 1987. In particular, the Computer Security Act of 1987 requires federal agencies to establish security plans for all federal computer systems that contain sensitive information. Also, the Office of Management and Budget (OMB) Circular A-130, Appendix III, Security of Federal Automated Information Resources, notes that all agency systems merit some level of protection and requires agencies to implement controls commensurate with risk. It also requires agencies to ensure that these controls are reviewed at least every 3 years and directs senior program managers to formally authorize use of each system prior to its implementation and periodically thereafter.

Our own study of leading security management practices used in commercial and nonfederal settings serves to help pinpoint the significant weaknesses in EPA’s computer security program management.[7] We found that these leading organizations manage their information security risks through a cycle of risk management activities. The basic framework—built on 16 specific practices—provides for risk management through an ongoing cycle of activities coordinated by a central focal point. This management process, shown in figure 1, involves

• assessing risk to determine information security needs,
  
• developing and implementing policies and controls that meet these needs,
  
• promoting awareness to ensure that risks and responsibilities are understood, and
  
• instituting an ongoing program of tests and evaluations to ensure that policies and controls are appropriate and effective.

[begin page 15]

Figure 1: The Risk Management Cycle

[diagram omitted]

This process is generally consistent with OMB and National Institute of Standards and Technology (NIST) guidance on information security program management, and it has been endorsed by the federal Chief Information Officers Council as a useful resource for agency managers. By adopting the risk management principles and practices recommended by our guide, agencies can better protect their systems, detect attacks, and react to security breaches.

[begin page 16]

• describe information security program roles, responsibilities, and procedures consistent with the office’s mission, including assigning responsibility to knowledgeable staff; and
  
• ensure that staff are provided security awareness training.

According to EPA policy, each unit’s strategy for meeting these requirements is to be documented in information security program plans. Placing such responsibilities with EPA’s individual program and support offices is appropriate because individual units are the most familiar with the sensitivity and criticality of their data and have the most to lose if poor security negatively affects their operations. Our review of individual office security plans and discussions with responsible officials found that many of EPA’s major offices did not fully consider information security risks, clearly define the level of protection needed for their operations, or ensure that controls were implemented effectively. In particular, most offices did not adequately consider the security risks associated with the operating systems and agencywide network upon which their individual applications and information systems heavily rely. Nor did they consider other factors affecting the security of their individual systems, such as interfaces with other users’ systems. For example, information security plans for some financial applications did not address the risks associated with other financial systems or other program offices’ applications that transmit sensitive financial information.

In addition, EPA offices did not consistently apply the data risk categories, or sensitivity levels, described in EPA policy as the basis for determining what information security controls were needed. Some offices applied other categories or only partially applied EPA’s guidance. For example, at the six offices for which security plans had been finalized, none identified the overall system sensitivity rating required to determine which set of minimum control requirements outlined in EPA agencywide guidance was appropriate for the systems.

Further, senior officials authorized some systems for processing without testing access controls to ensure that they had been implemented and were operating effectively. Twenty-eight of the 54 system security plans we reviewed had received no management authorization. Such authorizations are important because, according to OMB and EPA guidance, they are intended to represent management’s determination that the security of the systems supporting their operations is adequate.

[begin page 17]

We found that OEI and its predecessor organization, which was under the Office of Administration and Resources Management, had not proactively monitored the effectiveness of information security efforts throughout the agency or provided adequate assistance to program offices. While an office within OEI had developed agencywide security policies and conducted some security-related training, neither that office nor any other EPA office has undertaken the role of facilitating and coordinating implementation of EPA’s security policies throughout the agency or ensuring that all systems are periodically tested to ensure that controls are operating effectively.

Our study of leading organizations found that a strong central focal point was important to ensuring that policies were consistently understood and implemented and that risks, including those associated with agencywide networks and other broadly used support systems, were fully understood and considered in individual office plans. In its current formulation, OEI’s structural organization and staffing capacity simply do not adequately [begin page 18] address the requisite elements of an effective agencywide security program.

While the agencywide information security policy and guidance developed by OEI generally complied with OMB guidance, we identified several areas where it could be supplemented and clarified to help ensure more effective security program management at both the individual office level and EPA-wide.

Specifically, EPA’s information security policy, procedures, and guidance did not

• clearly distinguish between mandatory and optional requirements;
  
• define practical risk assessment procedures;
  
• clearly define responsibilities of Senior Information Resource Management Officers, system managers, information managers, or application owners, or describe staff’s responsibility and involvement in plan development;
  
• establish an entitywide or office self-assessment process; or
  
• establish an entitywide process for monitoring resolution of identified security vulnerabilities.

These deficiencies are in addition to those previously described related to EPA incident handling capabilities.

Planned improvements to the way EPA manages information security were outlined in a January 28, 2000, memorandum to EPA executives from the Principal Deputy Assistant Administrator for OEI. These included (1) an effort by the Office of Information Collection within OEI to take a broader look at the agency’s information protection policies, particularly how the sensitivity of information is determined, and (2) establishment of a "Technical Information Security Staff" to rapidly enhance EPA’s technical approach to information security. The memorandum identified the new security staff’s key functions as

[begin page 19]

• developing technical approaches and implementation policies,
  
• researching and synthesizing best practices,
  
• supporting senior managers in understanding and carrying out their information security roles,
  
• educating users and technical staff,
  
• developing processes and procedures for tracking and reporting security incidents, and
  
• overseeing the auditing and effectiveness of security programs.

These provisions address many of the management deficiencies we identified, and we encourage EPA to move forward in implementing them. However, effective implementation will require joint efforts by both program and technical staff and a major adjustment in the way EPA considers information security risks and in its management approach. The Technical Information Security Staff will face major challenges in facilitating communication and cooperation among EPA’s (1) National Computer Center staff, (2) program, financial, and regional officials, and (3) the various components of OEI. It will be essential that the new security staff proactively oversee and coordinate security-related activities throughout EPA and ensure that controls are periodically tested, especially those controls that protect the most sensitive and critical of EPA’s data.

• implement policy and procedures for monitoring suspicious activity in log files and audit trails on a regular schedule commensurate with current threats and potential impact of damage or disruption and
• restrict access to security incident data so that only those individuals involved in monitoring and investigating incidents can view such data.

To strengthen EPA’s ongoing security posture and incident management efforts, we recommend that the Administrator direct EPA’s Principal Deputy Assistant Administrator for the Office of Environmental Information to

• develop, document, and enforce standards, controls, and procedures for security intrusion and misuse detection, recording, response, follow-up, analysis, and reporting, including clear assignment of responsibilities for government and contractor employees to ensure appropriate oversight of security functions;
  
• analyze existing and future problem reports to identify deficiencies in system controls, incident records, and problem responses; and
  
• periodically report summaries of security incidents and responses to senior EPA and application managers in order to raise awareness of security risks, ensure that response actions and control improvements are appropriately managed, and ensure that the related risks are considered in security planning.

[begin page 21]

[begin page 22]

• defines information security roles and responsibilities, and
  
• defines procedures and provides tools for agencywide self-assessments.

• establishing a program for testing and evaluating the controls and procedures adopted,

• improving the risk assessment process, and

• better supporting program managers in carrying out their information security related responsibilities.

We cannot yet draw conclusions on the effectiveness of EPA’s actions because many have not yet been fully implemented and others have not been independently tested. However, the corrective actions described represent a comprehensive approach to improving EPA’s agencywide information security program and, if implemented effectively, should significantly strengthen EPA’s security posture. To be effective on an ongoing basis, it is important that EPA’s efforts be institutionalized as part of a continual cycle of risk management activity. In this regard, the periodic tests and evaluations that EPA plans to implement should provide EPA management with important information on the success of its actions and provide a basis for fine-tuning the agency’s security program in the future.

As agreed with your office, unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from the date of this letter. At that time, we will send copies to Senator Max Baucus, Senator Christopher S. Bond, Senator Robert C. Byrd, Senator Pete V. Domenici, Senator Richard J. Durbin, Senator Frank Lautenberg, Senator Joseph Lieberman, Senator Barbara A. Mikulski, Senator Bob Smith, Senator Ted Stevens, Senator Fred Thompson, and Senator George V. Voinovich, and to Representative Dan Burton, Representative John D. Dingell, Representative Stephen Horn, Representative John R. Kasich, Representative Alan B. Mollohan, Representative David R. Obey,

[begin page 23]

Representative John Spratt, Representative Jim Turner, Representative James T. Walsh, Representative Henry A. Waxman, and Representative C.W. Bill Young in their capacities as Chairmen or Ranking Minority Members of Senate and House Committees and Subcommittees. We are also sending copies to the Honorable Carol M. Browner, Administrator, Environmental Protection Agency; the Honorable Nikki L. Tinsley, Inspector General, Environmental Protection Agency; the Honorable Jacob J. Lew, Director, Office of Management and Budget; and other agency officials. Copies will be made available to others upon request.

If you have questions regarding this report, please contact me at (202) 512-6240 or by e-mail at mcclured.aimd@gao.gov.

Sincerely yours,

David L. McClure

Associate Director
Defense and Governmentwide
Information Systems