1998 Congressional Hearings
Intelligence and Security



MAY 19, 1998

Release of GAO Reports

At this time, the Committee will now release three GAO reports on computer and information security, all prepared at our direction. The first two reports involve careful study by GAO of the level of computer and information security at two federal agencies, the State Department and the Federal Aviation Administration, whose operations affect the safety and well-being of us all. In their entirety, the State and FAA reports are classified. But the agencies have agreed to make public edited versions of the reports, which we are releasing today.

As the reports demonstrate, both State and FAA have pervasive and crippling security problems. First, regarding State, GAO hacked into State’s computers with ease, using hacking tools available for free on the Internet. The results of GAO’s work are startling. GAO was able to access all kinds of sensitive information, including travel itineraries for senior U.S. diplomatic officials, personnel and employment records, and e-mail traffic among State Department employees. Even worse, GAO was literally able to take control of the State Department’s computers, and could have shut them down or falsified the information on them. Unfortunately, this went undetected by the State Department.

Unlike at the State Department, GAO did not even have to break into FAA’s computers to satisfy themselves of the weaknesses there. GAO found well-documented evidence in the FAA’s own files that detailed security problems in the air traffic control system. The GAO report contains tough criticism of the FAA practices, concluding that FAA is not doing the job properly in all critical areas. The title of the report sums this up: "Air Traffic Control -- Weak Computer Security Practices Jeopardize Flight Safety."

Finally, a third GAO report we are releasing today may hold the key to improving federal government computer security. The report, which details the "best practices" used by leading private companies for computer security, ought to provide a blueprint for improvements as the State Department, the FAA, and other federal agencies struggle to manage computer security concerns. I intend to follow-up with the FAA and the State Department to monitor their progress in implementing the GAO recommendations.

With these reports, the Committee also is releasing a statement by GAO that summarizes their findings.