The Department of Interior left itself vulnerable to a cyberattack and unwittingly granted people off the street outside of its headquarters access to a guest wireless network — a security flaw flagged only when an unknown user was detected engaging in sexually explicit online chats with a child, records show.
Officials also brushed aside security concerns raised by information technology employees, who tried to warn officials about the risks of a free open wireless network in and around the Cabinet agency’s headquarters.
When investigators began gathering evidence in response to a report of a sexually explicit chat involving a suspected juvenile in 2012, they found they couldn’t get logs from wireless access points because system operators failed to turn on logging capability, according to records The Washington Times obtained through the Freedom of Information Act.
“Good security is having the right processes in place, testing them and doing oversight,” said Fred Cate, director of the Center for Applied Cybersecurity Research at Indiana University. “But this shows they failed at every count.”
The outcome of the inspector general’s sexual misconduct investigation isn’t clear in the documents, which focus specifically on the cybersecurity lapses at the Interior Department building.
That investigation, which ended in late 2012, didn’t specify whether the security flaws were fixed, but Interior Department officials said they had addressed the problem.
SEE ALSO: Disorganization to blame for lengthy outage of Interior Dept. websites, review says
“Interior took the findings seriously and has addressed the vulnerabilities outlined in the report,” said Interior Department press secretary Jessica Kershaw.
She said access to the wireless network in the department’s main building requires a request in person for a user identification and password, and the codes now expire after a predetermined amount of time.
Ms. Kershaw said the department also has installed equipment to “minimize the transmission and access points outside of the facility.”
It’s not the first time investigators have faulted the Interior Department on cybersecurity. In 2009, an inspector general report said the agency had a decentralized information technology department with underqualified personnel who weren’t accountable for their results.
Congressional auditors have been urging federal agencies for years to beef up their wireless security. A 2010 Government Accountability Office report warned that without the right safeguards, computer networks were vulnerable to fraud and attacks.
One glaring problem at the Interior Department was that officials didn’t know the wireless signal was leaking outside of intended areas, and they never checked to find out whether they could access the Internet from outside the building.
SEE ALSO: Inside the Ring: Hagel releases cyber warfare plans to China
Later, they found that 48 wireless access points inside the building were accessible from outside, including on the corner of Virginia Avenue and 18th Street in Northwest Washington.
“The guest network was only meant to be in certain areas and yet they ended up making every wireless access point part of this network, thereby dramatically expanding the vulnerability of it,” Mr. Cate said.
The records obtained by The Times are redacted, blacking out the names and job titles of information technology staff and supervisors involved. But one IT system manager told investigators that “no matter what we do, someone can still get smart enough to get in on a guest network.”
“Let me be clear,” the official told investigators. “Every step of the process, technical people pointed out the issues that could arise.”
Timothy P. Ryan, managing director of cyber investigations for Kroll Inc. and a former FBI cybersquad chief, said the guest network poses several security concerns.
“You’re creating another way for data to leave the enterprise,” he said. “You have the corporate network, which the corporation or government entity monitors and they give out passwords and user names. When you have a guest network employees can circumvent all of your monitoring by going on that or they technically can leave a device inside the building with a persistent connection to the Internet that could create a real problem.”
Mr. Ryan recommended a risk analysis before rolling out any technology.
• Jim McElhatton can be reached at jmcelhatton@washingtontimes.com.
Please read our comment policy before commenting.