The Federal Election Commission (FEC), the government agency that keeps track of money raised each term by candidates and political action committees, is highly vulnerable to intrusions and data breaches according to a recent audit that discovered “significant deficiencies” in the FEC’s IT security program.
The concerns stem from an audit (.PDF) that surfaced online this week administered by Maryland-based Leon Snead & Company earlier this month.
The report notes the FEC must “fundamentally change its governance and management approach and adopt a risk-based IT security program” that meets the best practices laid out by the National Institute of Standards and Technology (NIST).
The audit calls out the FEC for only following NIST best practices “when applicable” and is urging the agency to be more like the Government Accountability Office (GAO), which like the FEC is technically exempt from the Federal Information Security Management Act (FISMA), but still adheres to NIST’s guidelines.
The FEC has asserted that it makes its own discretionary decisions on when to implement “government-wide IT security requirements,” yet the audit, which covered the FEC’s fiscal year ending September 2013, failed to find any semblance of a security review policy at the agency.
The audit follows news earlier this month that Chinese hackers thoroughly compromised the FEC’s networks during the United States government shutdown in October.
Those revelations came in the form of a six-month study by the Center for Public Integrity that culminated with an in depth report on December 17.
While the China hacks aren’t addressed in the audit, they are corroborated when the report acknowledges that servers “have been penetrated at the highest levels of the agency.”
The audit brings up a few other times the agency was attacked, including an occasion in May 2012 when a commissioner’s account was compromised and the computer was infected with malware for an eight-month period. That intrusion could have given attackers access to subpoenas, reports and sensitive financial information but the agency was never able to verify whether any data was stolen.
Outside contractors analyzed the attack in October 2012 and even gave the FEC guidance on how to eliminate future threats yet one year later the audit still found that the agency still hadn’t gotten the ball rolling on implementing the bulk of the recommendations.
The audit gets into a slew of other security concerns for the agency before it’s through, including poor password management (many users have been granted non-expiring passwords) and the agency’s depreciated vulnerability scanning program. Consultants are urging the FEC to address all of the issues in the coming new year.