Congress's watchdog reports finds that many federal agencies inconsistently apply security guidelines and best practices, leaving government networks and information vulnerable to attack.
The widespread use of wireless technologies, like WiFi-enabled laptops and smartphones, by government agencies has Congress's watchdog fearful that hackers could access critical networks and steal or manipulate sensitive information.
The findings of a wide-ranging 11-month-long audit of wireless security practices across 24 major federal agencies by the Government Accountability Office (GAO) are summarized in a report that concludes many agencies inconsistently apply leading security best practices and guidelines from the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST).
The report comes as the government tries to plug information security holes in the wake of WikiLeaks' disclosure of State Department cables. (CORRECTION BELOW)
The GAO found that numerous federal agencies have failed to:
- manage their wireless networks centrally
- establish configuration requirements for wireless networks and devices
- properly train employees in wireless security practices
- require secure encryption of wireless communications
- monitor their wireless networks for suspicious activity
"Until OMB, DHS, NIST, and individual agencies take steps to fully implement leading security practices," the report warns, "federal wireless networks will remain at increased vulnerability to attack, and information on these networks is subject to unauthorized access, use, disclosure, or modification."
Of particular concern to GAO auditors was the threat of dual-connected laptops, or laptops connected to a wired network and a wireless network simultaneously. According to NIST guidelines, devices like laptop computers should only be allowed to access one network at a time. Nevertheless, the GAO found that many agencies did not address the risk of dual connection in their security policies.
The report cautions that dual-connected laptops could allow a hacker to exploit an insecure wireless connection to gain access to the wired network and sensitive information stored within. "Turning off or disabling the wireless capability when a laptop is connected to a wired network mitigates this risk," explains the GAO.
The GAO also found employees traveling overseas with wireless devices pose significant risks because "sensitive information could be compromised while a device is in another country, or that malware obtained during an international trip could be inadvertently introduced onto agency networks, placing sensitive data and systems at risk."
While overseas, the GAO recommended that employees use a virtual private network (VPN) to relay sensitive information to agency networks when using insecure public wireless networks like airport hot spots.
Another concern during travel is smartphone security. "Due to their portability and capacity to collect and store significant amounts of sensitive information, smartphones such as the BlackBerry are susceptible to security threats such as loss, theft, unauthorized access, malware, electronic eavesdropping, and tracking," the report warns. In two attack scenarios included in the report, the GAO worries that an attacker could steal a smartphone's data storage card or replace the original with another card carrying malicious code.
The GAO report released this week comes after the giant WikiLeaks disclosure of more than 250,000 State Department cables over the weekend , which has made information security a top priority for the White House and the federal bureaucracy. In an effort to examine how the government can better protect classified information, the White House named Russell Travers, deputy director at the National Counterterrorism Center, as head of the President's Intelligence Advisory Board this week.
According to National Journal , "the board is tasked with ensuring that agencies have a proper understanding of the requirements in safeguarding classified information, getting a general sense of government officials' attitudes on leaks, and assessing how the government handles sensitive information and documents."
♦ Photo by dana~2/Flickr
CORRECTION: The original article described WikiLeaks disclosure as a "document dump." That description was inaccurate as WikiLeaks has only disclosed approximately 2,000 of the more than 250,000 documents it has in its possession.