Deficient computer security at the Federal Election Commission has already led to high-level breaches and puts the agency “at high risk” of continued hacking, according to a federal Inspector General report released this month.
FEC information systems, which in the previous election tracked more than $6 billion in political spending, “have serious internal control vulnerabilities and have been penetrated at the highest levels of the agency,” according to the FEC Inspector General’s final audit for fiscal 2013.
The report, which reiterates security concerns flagged by federal auditors for several years running, identifies two specific, high-level hacking incidents. In May of last year, an adversary identified as an “Advanced Persistent Threat” compromised a commissioner’s personal user account, as well as several FEC systems, for eight months running.
During that period, the unidentified hacker had potential access to such sensitive information as details of FEC investigations; General Counsel’s reports; briefs; subpoenas, and personal identifying information.
The second intrusion took place in August of this year and involved the FEC’s public disclosure website, forcing the agency to shut down portions of the system while it investigated. While the FEC was working on remediating the August breach, “another intrusion was detected on the agency’s website in early fiscal year 2014,” according to the report.
Conducted by Leon Snead & Co. and released by the FEC on Dec. 17, the report gives no further details of the second intrusion. But a recent investigation by the Center for Public Integrity disclosed that Chinese hackers crashed FEC computer systems just after the government shutdown on Oct. 1, a breach CPI identified as possibly “the worst act of sabotage” in the agency’s 38-year history.
The CPI report flags an earlier IG audit that had warned the agency was at “high risk” for infiltration, but notes that the FEC responded then that its “systems are secure.” The Chinese hacking incident was “confirmed by three government officials” involved in an ongoing investigation that includes the Department of Homeland Security, according to CPI. During the shutdown, the report also found, commissioners had deemed not a single worker essential, leaving the system particularly vulnerable.
Outgoing FEC chairwoman Ellen Weintraub declined to comment on any specific alleged security breach, but said she is "not aware of any incidence in which sensitive information was compromised." However, she said, commissioners "do take the IG report very seriously, and we do take suggestions about IT security very seriously"
Weintraub recently tapped two commissioners, incoming GOP chairman Lee Goodman and Democrat Steven Walther, to serve on an FEC committee focused on IT issues. She said commissioners have asked the agency's chief information officer for a top-to-bottom review of IT systems, and that the FEC will soon launch a revamped search system its website that has been long in the works. The agency's budget, which has been flat for years despite a burgeoning workload, presents ongoing constraints, she noted.
Goodman confirmed in a written statement that “upgrading the FEC’s technological capabilities, particularly its website and related security, is a priority.” Goodman also noted that the commission has requested in its legislative recommendations for the year permission from Congress to “accept gifts in order to help improve its IT capabilities, particularly its website.”
A Homeland Security official would not confirm or deny the source of the October attack. At the request of the FEC, DHS is working with law enforcement officials “to analyze any potential impacts” of the hacking incident “as well as help develop and implement appropriate additional mitigation strategies as necessary,” the official said via e-mail. While the investigation is ongoing and has reached no final conclusion, the official added, “at this point, there are no indications that any sensitive information or other personal data was compromised.”
Data insecurity has been a chronic problem for the FEC, according to federal auditors, who have warned the agency about security risks for several years running. The latest IG report released this month chides that the “FEC has failed to implement agreed upon corrective actions to address IT security vulnerabilities that have, in some cases, been outstanding for approximately five years.”
The FEC’s information security program “does not meet government-wide best practices minimum security requirements in many areas,” the IG report finds. For example, FEC officials have “not taken action” to address the problem that dozens of agency accounts have not had their passwords changed for years.
The IG report faults the FEC for failing to adopt the information technology security standards set by the National Institute of Standards and Technology under the Federal Information Security Management Act. The FEC is exempt from FISMA, but the IG report notes that other exempt agencies, such as the Government Accountability Office, have adopted NIST security standards nonetheless.
In its official Management Responses to the IG’s findings, the FEC states that the agency has adopted FISMA security requirements “where those requirements are feasible and appropriate for the agency.” The response also cites “significant steps” the agency has taken to improve security, including acquisition of a new tool to allow continuous monitoring of computers for viruses.
But the IG report argues that the “FEC will remain at high risk for intrusions and data breaches unless it fundamentally changes its governance and management approach, and adopts a risk-based IT security program that is based upon the federal government’s IT security control standard” in line with NIST best practices.