GAO report critical of federal banks' security

The Government Accountability Office (GAO) in Washington, D.C., Thursday issued an information security report critical of the Federal Reserve banks’ computer systems and networks that are used in selling Treasury notes at auctions.

In its report addressed to Federal Reserve System chairman Ben Bernanke, the GAO said the dozen Federal Reserve banks that serve as fiscal agents for the Treasury Department’s Bureau of the Public Debt had failed to implement adequate security controls to support networks used in Treasury actions. The GAO, the federal government’s watchdog agency, said an in-depth review of these systems done between March and May of this year revealed several shortcomings the Fed should address, in the areas of user authentication, authorized access, and protection of sensitive data through encryption.

“Without proper safeguards, the speed and accessibility that create the enormous benefits of the computer age may allow individuals and groups with malicious intent to gain unauthorized access to systems and use the access to obtain sensitive information, commit fraud, disrupt operations, or launch attacks against other sites,” the GAO warned in its report entitled “Federal Reserve Needs to Address Treasury Auction Systems.”

The report was signed by Gregory Wilshusen, director of information security issues at the GAO, Keith Rhodes, chief technologist, and Gary Engel, director of financial management and assurance at the GAO.

According to the report, the Federal Reserve banks processed $4.5 trillion in issuances, about $4.2 trillion in redemptions and about $128 billion in interest payments during fiscal year 2005, largely by using a number of online applications, some Web-based.

The Federal Reserve bank networks provide access on a distributed basis to Treasury mainframe applications for auctions. One application is said to be used by about 670 users via the Internet while other applications serve 22 brokers and dealers at competitive auctions who connect to it via workstations installed in the dealers’ offices by the Federal Reserve banks.

According to the GAO, security weaknesses associated with the networks and applications include a failure to consistently identity and authenticate users to prevent unauthorized access; failure to restrict user privileges to necessary and appropriate access; lack of strong encryption to protect sensitive data in storage and on networks; and inadequate log and audit monitoring or maintaining secure configurations on servers and workstations.

The GAO report said, “Key servers and Federal Reserve bank workstations were missing patches that could prevent an attacker from gaining remote access. In addition, the Federal reserve banks were running a database management system and network devices that were no longer supported by the vendor.”

The GAO said in addition to its public report, it would also supply the Fed with specific recommendations to address security weaknesses.

“Concerns about attacks from individuals and groups, including terrorists, are well-founded for a number of reasons, including the dramatic increase in reports of security incidents, the ease of obtaining and using hacking tools, the steady advance in the sophistication and effectiveness of attack technology, and the dire warnings of new and more destructive attacks to come,” the GAO noted in its report.