A new congressional report saying federal agencies are highly vulnerable to cyber-attacks is simply confirming what has long been known, say security experts: the government, at least online, is a sitting duck.

The report, from the General Accounting Office, the non-partisan investigative arm of Congress, gave the federal government a grade of D- for the way it places "a broad array of federal operations and assets at risk of fraud, misuse and disruption."

Departments from Defense to Treasury have committed flagrant computer security violations, the report said.

"This is like a 'duh' statement for the hacking community and the security community," said John Vranesevich, founder of AntiOnline.com, a computer security firm. "Here's something else we can throw on top of the already thousand-mile high heap we have telling you we need better resources and better security."

"It's a free-for-all," he continued. "Everyone from teenagers trying to impress their girlfriends to foreign governments trying to steal U.S. secrets [are trespassing on federal sites]. ... Government and military sites are broken into so much now that they don't even make the news."

A typical example, he said, occurred over the weekend, when six Army Web sites were shut down by a teenage hacker protesting the federal government's stance against Napster, the online music-trading service.

The sites for Army Signal Command, the Army Medical Department and several National Guard sites remained inaccessible as of Monday afternoon.

Army spokesman Major Bill Bigelow could not confirm the attacks but stressed that the sites in question do not contain classified information. He added that the Army has made real strides in protecting its networks. "We do not sit around and wait for someone to violate our system [before] we modify it," he said.

But if a kid can wreak online havoc with seemingly little effort, "what can a foreign government do?" asked Vranesevich. "The government is not even at the point where they understand completely how their systems are being broken into."

Rhetoric from doomsayers or naysayers aside, the GAO report, released by the House Subcommittee on Government Management, Information and Technology, lays it out in greater detail.


The report card includes grim marks for individual departments within the federal government — more than one in four of the major U.S. bureaucracies received a grade of F.

Failing grades went to the departments of Agriculture, Justice, Labor, the Interior, and Health and Human Services, as well as the Small Business Administration and the Office of Personnel Management, the federal human resources office.

The Defense Department earned only a D-plus.

"There is no room for complacency for the stakes are simply too high," said panel chairman Stephen Horn, a California Republican, at the hearing where he released both the GAO survey and the grades assigned by his panel.

Government officials are increasingly concerned about potential cyber-attacks motivated by everything from mischievousness to intelligence-gathering, crime and sabotage, the GAO survey said.

As authorities rely more and more on computer networks, "there is a greater likelihood that information attacks will threaten vital national interests," GAO added.

Each of the 24 audited agencies were faulted for "serious weaknesses" in controls on access to their systems, up from 23 in September 1998, when the last such GAO audit was released.

Data gathered in the past year, including the GAO audit and self-reported data from the bureaucracies and their inspectors-general, show that federal computer security is "fraught with weaknesses and that, as a result, critical operations and assets continue to be at risk," it said.

Taxpayer Information Unprotected

For example, the report said accounts often remained open even after employees or contractors wound up their employment.

Likewise, access was not promptly cut off nor curtailed to reflect changes in responsibilities. And managers were routinely giving "overly broad access privileges to very large groups of users" rather than doling access out to those with a specific need to know, the study found.

At one unnamed agency, all 1,100 users had been granted access to sensitive system directories and settings, the GAO found.

Illustrating the stakes involved, it said the Treasury Department's computer-security failings boosted the risk of fraud associated with billions of dollars in U.S. payments and collections.

At the Defense Department, such shortcomings "increase the vulnerability of various military operations that support the department's warfighting capability," added GAO. The Defense Department had no immediate comment.

In addition, cracks in the system put huge caches of taxpayer and proprietary business information at risk of inappropriate disclosure, GAO said.

To test user-authentication and access controls, the investigators sought to pierce network security, often from outside computers, with the cooperation of the agencies they were auditing.

They managed to break in almost every time, "gaining unauthorized access that would allow intruders to read, modify, or delete data for whatever purpose they had in mind," the report said.

The agencies studied control almost 99 percent of the money the federal government spends. The House panel gave D's to the departments of Treasury and Veterans Affairs along with the Environmental Protection Agency, General Services Administration and National Aeronautics and Space Administration.

Computer security at the Central Intelligence Agency was not rated "because of the nature of its work," but the spy agency gave a classified briefing to panel members, subcommittee spokeswoman Bonnie Heald said.

Vranesevich, the computer security consultant, said that for every government department, it should be "a matter of threat assessment.

"In this present day society, is our greatest threat going be what's thrown or launched against us or something digital?"

— Reuters contributed to this report