EPA shutters its Web site amid security concerns
FEB. 17—The Environmental Protection Agency last night pulled the plug on its Web site, heeding the demands of House Commerce Committee Chairman Thomas Bliley, who said the site posed a security threat.
By Christopher J. Dorobek and
Tony Lee Orr
GCN Staff
FEB. 17'The Environmental Protection Agency last night pulled the plug on its Web site, heeding the demands of House Commerce Committee Chairman Thomas Bliley, who said the site posed a security threat.
The Virginia Republican has led a campaign over the past year to bolster EPA systems security. He succeeded this summer with a bill that barred the agency from posting information about possible worst-case scenarios for toxic spills. [See GCN story at www.gcn.com/vol18_no24/news/350-1.html.]
He followed that action up with a request to the General Accounting Office for a review of EPA systems security generally. It was the GAO findings that led him to ask EPA yesterday to act immediately to secure data on the agency's Web site.
In a statement, EPA said the Web site shutdown is temporary while the agency installs 'additional security measures as part of ongoing efforts to prevent computer hacking.' The agency would not say when the site would return to full operation.
Bliley did not require that EPA take the whole site offline, just protect all sensitive data, committee spokesman Eric Wohlschlegel said. Although visitors can get to the home page, the links to data files are all dead.
The EPA statement said that breaking the data links was prudent while it worked on the site. The agency added that there is no evidence hackers breached any systems or obtained any sensitive information.
GAO's findings suggest otherwise. 'EPA's records show that vulnerabilities have been exploited ' by external and internal sources. In some cases, these vulnerabilities were exploited because EPA had not corrected known vulnerabilities and properly managed user accounts,' according to a statement submitted to the committee by David L. McClure. He is associate director of governmentwide and Defense information systems for GAO's Accounting and Information Management Division.
The closure of the EPA site came only hours before Bliley's committee was to hold a hearing on the security concerns. But based on a briefing he received earlier this week from GAO officials, Bliley postponed the hearing and directed EPA to secure the Web site.
During its audit, GAO found longstanding security problems, Wohlschlegel said. [See the GAO statement at www.gao.gov/new.items/ai00097t.pdf.]
The committee's concerns reach beyond the security of the agency's Web operations, Wohlschlegel said. 'We're talking about EPA's systems'their accounting systems, trade systems [that contain] sensitive and confidential information that could jeopardize our national and economic security,' he said. 'It's serious.'
Of particular concern is that many of the most serious weaknesses were reported to EPA management three years ago by EPA's inspector general, McLure said.
'EPA's mission-related and financial operations are riddled with security weaknesses,' he said.
GAO told Bliley EPA had poor password protection, weak network operating system controls, ineffectual perimeter defenses, faulty access controls, insubstantial intrusion detection and inadequate incident response capabilities.
Bliley, in a statement, said the shutdown was necessary because of EPA mismanagement.
"It is unfortunate that the American people temporarily will not have access to the important public information contained on the EPA Web site,' he said. 'That sad fact is the fault of no one other than EPA Administrator Carol Browner and her management team. Had they heeded seven years of warnings by security experts and performed their duties with even a modicum of responsibility over this time, last night's shutdown would not have been necessary.'