Last week the Government Accountability Office (GAO) releasedan audit on the Federal Communications Commission’s (FCC) Enhanced Secured Network (ESN) project that questions the network security of the very agency that regulates online communications. Things are going so poorly with the project, the GAO couldn’t even release full findings to the public — instead, a separate report with limited distribution was prepared “making 26 recommendations associated with 21 findings to resolve technical information security weaknesses related to access controls and configuration management of the ESN.”
Sean Gallagher at Ars Technica explains the back story:
“In August of 2011, while in the middle of upgrading its network security monitoring, the Federal Communications Commission discovered it had already been hacked. Over the next month, the commission’s IT staff and outside contractors worked to identify the source of the breach, finding an unspecified number of PCs infected with backdoor malware.
After pulling the infected systems from the network, the FCC determined it needed to do something dramatic to fix the significant security holes in its internal networks that allowed the malware in. The organization began pulling together a $10 million “Enhanced Secured Network” project to accomplish that.”
But according to Gallagher, that $10 million plan was largely put together by Octo Consulting, and the GAO findings make it clear almost nothing went well:
“FCC’s efforts to effectively manage the ESN project were hindered by its inconsistent implementation of procedures for estimating costs, developing and maintaining an integrated schedule, managing project risks, and conducting oversight.”
The report concludes that as the result of this mismanagement, the FCC did not implement appropriate security controls in the initial phase of the project, nor has it consistently implemented key security procedures for managing the program to the point that the “FCC’s information remained at unnecessary risk of inadvertent or deliberate misuse, improper disclosure, or destruction” — essentially leaving the system, and thus sensitive internal FCC communications and information about the people and companies doing business with the FCC, vulnerable to the same sort of breach found in 2011 that prompted the Enhanced Secured Network project in the first place.
While the shortage of cybersecurity expertise in government is nothing new, that the very agency responsible for regulating online communications was forced to resort to outside assistance to secure its networks — and just how spectacularly that outside assistance failed — is yet another wake up call to the severity of the shortage and the real impacts it has on our government’s ability to do its job.
Update:
In a later update to Ars Technica, Octo Consulting President Mehul Sanghani clarified that they were “responsible for providing ‘acquisition support to the FCC’ for the ESN contract” and “[o]nce the contract was awarded, Octo was also tasked with providing project management support to supplement the FCC IT staff that was tasked with overseeing the work” while the actual execution was done by MicroTech and subcontractor Booz Allen Hamilton.