Watchdog cites gaps in security of wireless devices
Computers simultaneously hooked up to agency wired networks and insecure wireless networks are a particular risk, GAO finds.
Federal auditors have found holes in the security of wireless technology, including smart phones, Bluetooth devices and laptop computers, that federal employees use regularly in the office and on the go.
"Until [agencies] take steps to fully implement leading security practices, federal wireless networks will remain at increased vulnerability to attack, and information on these networks is subject to unauthorized access, use, disclosure or modification," Government Accountability Office auditors wrote in a report (GAO-11-43) released on Tuesday afternoon.
Specifically, they found gaps in security guidelines for computers that are simultaneously connected to agency wired networks and insecure wireless networks. Unless officials configure the dual-connected laptops' security controls a certain way, hackers can compromise the wireless networks to infiltrate an agency's wired networks, GAO noted.
In addition, auditors found agencies had insufficient policies on using mobile devices overseas; monitoring for unauthorized, rogue wireless networks; and scanning for unapproved devices. With the exception of the Defense Information Systems Agency, most failed to enforce secure configurations on BlackBerry smart phones, according to the report.
The auditors also warned that the Office of Management and Budget and the Homeland Security Department -- which directs federal cybersecurity operations -- might lack visibility into the security posture of the government as a whole. Agencies routinely report on security controls, as required by the 2002 Federal Information Security Management Act, but the most recent OMB-DHS reporting guidelines are silent on protections for dual-connected laptops, international travel and central oversight of wireless devices.
"Although the DHS official responsible for the agency's newly assigned governmentwide FISMA compliance activities stated that the agency plans additional activities that may address aspects of wireless security governmentwide, the scope and time frames for these activities have not yet been finalized," auditors wrote.
OMB did not comment on a draft of the report, according to GAO officials. The Commerce Department, which developed many of the guidelines in question through the National Institute of Standards and Technology, agreed with recommendations for NIST to craft additional procedures for wireless security.
"We also feel that the draft report does an outstanding job at highlighting NIST's leadership in this effort," Commerce Secretary Gary Locke wrote in a Nov. 1 letter.