April 05, 2001, 6:57 PM — Hackers are succeeding more and more in gaining root-privilege control of government computer systems containing sensitive information, said federal officials who testified today before a U.S. House subcommittee that computers at many agencies are riddled with security weaknesses.
When an attacker gets root privileges to a server, he or she essentially has the power to do anything that a systems administrator could do, from copying files to installing software or sniffer programs that can monitor the activities of end users. And intruders are increasingly doing just that, the officials told the Subcommittee on Oversight and Investigation.
"The increase in the number of root compromises, denial-of-service attacks, network reconnaissance activities, destructive viruses and malicious code, coupled with the advances in attack sophistication, pose a measurable threat to government systems," said Sallie McDonald, an assistant commissioner at the U.S. General Services Administration (GSA).
Last year, 155 systems at 32 federal agencies suffered root compromises in which intruders took full administrative control of the machines, according to the GSA. That's up from totals of 64 root compromises in 1998 and 110 two years ago. And the government has only a vague idea of what kind of data may have fallen into the wrong hands.
For at least five of the root compromises, officials were able to verify that access had been obtained to sensitive information, McDonald testified. But for the remaining 150 incidents, she added, "compromise of any or all information must be assumed." She characterized the compromised data as involving scientific and environmental studies but said she couldn't offer further details.
Meanwhile, the U.S. General Accounting Office (GAO), in a report released today summarizing security audits that have been completed at 24 federal agencies, said it had identified significant security weaknesses at each one. Robert Dacey, director of information security issues at the GAO, said in his testimony that the shortcomings have "placed an enormous amount of highly sensitive data...at risk of inappropriate disclosure."
The government is going to find itself in "deep, deep trouble" if its IT security procedures aren't improved, warned Rep. Billy Tauzin (R-La.), chairman of the House Energy and Commerce Committee. If sensitive personal data about U.S. citizens is compromised, "Americans are going to wake up angrier then you can possibly imagine," he said.
Many of the thousands of attempts to illegally access federal systems come from abroad, testified Ronald Dick, who took over as director of the FBI's National Infrastructure Protection Center cyberdefense agency last month (see story). "We know many nations are developing information warfare capabilities as well as adapting [cybercrime] tools," he said.