The Federal Election Commission’s computer and IT security continues to suffer from “significant deficiencies,” and the agency remains at “high risk,” according to a new audit of the agency’s operations.
“FEC’s information and information systems have serious internal control vulnerabilities and have been penetrated at the highest levels of the agency, while FEC continues to remain at high risk for future network intrusions,” independent auditor Leon Snead & Company of Rockville, Md., writes.
The audit, released today, comes less than two weeks after a Center for Public Integrity investigation that revealed Chinese hackers infiltrated the FEC’s IT systems during the initial days of October’s government shutdown — an incursion that the agency’s new leadership has vowed to swiftly address.
The Chinese hacking attack is believed by FEC leaders and Department of Homeland Security officials to be the most serious act of sabotage in the agency’s 38-year history.
Leon Snead & Company’s new 34-page audit further reveals separate security breaches it discovered this year while auditing the FEC, which has in recent years endured shrinking budgets and staffing levels and historically high levels of gridlock.
The most notable security breach came in May 2012, when an unspecified “advanced persistent threat” broke into an unnamed FEC commissioner’s computer user account.
For eight months, the report states, the commissioner’s computer contained malware that gave hackers “potential” access to a variety of sensitive documents, including subpoenas, unpublicized investigations into political groups and “sensitive personal identifiable information.”
Auditors acknowledge that they were unable to determine whether such material “was actually accessed by the intrusion,” but “the opportunity did exist,” they wrote.
In another incident, an FEC employee gained “unauthorized access to personnel-related files, labor management files and administrative law files,” auditors write.
The new audit generally criticizes the FEC for not implementing various government IT security standards, from which FEC officials have maintained the agency is exempt.
Auditors also admonish the FEC for not heeding its IT security recommendations from a separate audit conducted in 2012, stating they were “advised by FEC officials that the agency had not yet implemented any significant portion” of that earlier audit’s forewarning.
“Our analysis indicates that if FEC had implemented government-wide minimum best practice IT security controls, these intrusions and breaches may have prevented and/or more timely detected,” auditors write.
Among its latest recommendations, auditors are asking the FEC to “provide sufficient budgetary and personnel resources … to ensure that actions are properly accomplished.” They further recommend that the FEC change all of its computer account passwords within the next 60 days.
In its official response to the audit’s security-related recommendations, the FEC states that it is “moving as quickly as possible on the recommendations” and that “several of the recommendations have been implemented.”
In an interview earlier this month about the Chinese hacking incident, incoming FEC Chairman Lee Goodman, a Republican, and incoming Vice Chairwoman Ann Ravel, a Democrat, both described the fixing of the agency’s IT woes as a “top priority.”
The FEC is in the process of hiring new IT security specialists and diverting resources to reinforce systems, Goodman added.
The new Leon Snead & Company audit covered the FEC’s 2013 fiscal year, which ended Sept. 30, meaning it did not materially address the October’s Chinese hacking incident.
But the report did acknowledge that an “intrusion was detected on the agency’s website in early fiscal year 2014” following a less severe hacking incident in August, which forced the FEC to temporarily disable portions of FEC.gov. The agency’s website contains millions of records that provide the public with information about federal elections and the finances of candidates, committees and parties participating in them.
An FEC spokeswoman referred questions about the new audit to the agency’s commissioners, who couldn’t immediately be reached for comment.
White House officials, who have this month refused comment on the FEC’s problems, also could not immediately be reached.