Replies

03/05/04

Lax security left Senate files wide open

By William Jackson
GCN Staff

GOP staff members of the Senate Judiciary Committee had free access to sensitive Democratic computer files because of what investigators termed a “significant lack of security” on the committee’s network.

A report by the Senate sergeant at arms has blamed the poor controls on the IT administrator’s inexperience and lack of training.

“Forensic analysis indicated that a majority of the files and folders on the server were accessible to all users on the network,” said the report, released yesterday. “Any user on the network could read, create, modify or delete any of the files or folders.”

The report made recommendations for improving the committee’s computer security, including setting minimal technical skill standards for administrators.

The problems came to light in a three-month investigation by Sergeant at Arms William H. Pickle about leaks of Democratic memos to the press late last year. The apparent intent was to embarrass Democrats by revealing political strategies in opposing conservative judicial nominations. But the investigation exposed partisan spying by several GOP staff members.

In what was described as an unprecedented investigation, the sergeant at arms hired an outside computer forensics firm to help in the investigation.

Republican and Democratic committee staffs share a single LAN, which until recently had a single administrator. Investigators found that user accounts established before August 2001 were generally created with strict access controls. Those established after that date, when a new administrator was hired, were open.

According to Pickle’s report, a committee clerk discovered he could access Democratic files in the fall of 2001 while he watched the systems administrator working. Improper access apparently continued until last spring, when the network hardware and software were upgraded. Although many accounts remained open, the directories no longer were visible to most users. A new administrator was hired last July.

Most of the investigation’s results came from interviews with staff members. Security practices were so inadequate that forensics specialists said they could learn little.

“While there was extensive forensic analysis of servers and individual workstations, the results were limited due to the absence of proactive security auditing,” the report said.

No record was kept of changes in access controls, and it was not possible to tell who was accessing what files.

The sergeant at arms concluded that the lapses were not the result of malicious behavior by the administrator, who was hired just out of college, but rather of lack of experience, training and oversight.

The problems found in the investigation were not limited to that period, or to the Judiciary Committee.

“Like some other Senate offices, the Judiciary Committee has historically been staffed with systems administrators who preferred to perform most computer-related tasks themselves,” the report said. “This has been true even if they had only minimal technical experience.”

Since the leak was discovered, the committee’s Republican and Democratic staffs have been put on separate LANs with separate administrators. Chairman Orrin Hatch (R-Utah) and ranking Democrat Patrick Leahy of Vermont requested a network security audit by the General Services Administration in February.

Although the report identified several possible ethics and criminal violations, it made no recommendation for legal action. It did, however, recommend these actions to improve IT security throughout the Senate:

Establish technical skills assessment, certification and continuing education requirements for system administrators
Set minimum qualifications for administrators
Create a best-practices manual for computer security
Require ethics and computer security training for all new employees.