Audit: FEC Still in "Significant" Danger of Hacking

Sunday, 05 January 2014 10:49 By Dave Levinthal, The Center for Public Integrity | Report
  • font size decrease font size decrease font size increase font size increase font size
  • Print
  • Email

New revelations follow Center for Public Integrity report of Chinese infiltration.

The Federal Election Commission's computer and IT security continues to suffer from "significant deficiencies," and the agency remains at "high risk," according to a new audit of the agency's operations.

"FEC’s information and information systems have serious internal control vulnerabilities and have been penetrated at the highest levels of the agency, while FEC continues to remain at high risk for future network intrusions," independent auditor Leon Snead & Company of Rockville, Md., writes.

The audit, released today, comes less than two weeks after a Center for Public Integrity investigation that revealed Chinese hackers infiltrated the FEC's IT systems during the initial days of October's government shutdown — an incursion that the agency's new leadership has vowed to swiftly address.

The Chinese hacking attack is believed by FEC leaders and Department of Homeland Security officials to be the most serious act of sabotage in the agency's 38-year history.

Leon Snead & Company's new 34-page audit further reveals separate security breaches it discovered this year while auditing the FEC, which has in recent years endured shrinking budgets and staffing levels and historically high levels of gridlock.

The most notable security breach came in May 2012, when an unspecified "advanced persistent threat" broke into an unnamed FEC commissioner's computer user account.

For eight months, the report states, the commissioner's computer contained malware that gave hackers "potential" access to a variety of sensitive documents, including subpoenas, unpublicized investigations into political groups and "sensitive personal identifiable information."

Auditors acknowledge that they were unable to determine whether such material "was actually accessed by the intrusion," but "the opportunity did exist," they wrote.

In another incident, an FEC employee gained "unauthorized access to personnel-related files, labor management files and administrative law files," auditors write.

The new audit generally criticizes the FEC for not implementing various government IT security standards, from which FEC officials have maintained the agency is exempt.

Auditors also admonish the FEC for not heeding its IT security recommendations from a separate audit conducted in 2012, stating they were "advised by FEC officials that the agency had not yet implemented any significant portion" of that earlier audit's forewarning.

"Our analysis indicates that if FEC had implemented government-wide minimum best practice IT security controls, these intrusions and breaches may have prevented and/or more timely detected," auditors write.

Among its latest recommendations, auditors are asking the FEC to "provide sufficient budgetary and personnel resources ... to ensure that actions are properly accomplished." They further recommend that the FEC change all of its computer account passwords within the next 60 days.

In its official response to the audit's security-related recommendations, the FEC states that it is "moving as quickly as possible on the recommendations" and that "several of the recommendations have been implemented."

In an interview earlier this month about the Chinese hacking incident, incoming FEC Chairman Lee Goodman, a Republican, and incoming Vice Chairwoman Ann Ravel, a Democrat, both described the fixing of the agency's IT woes as a "top priority."

The FEC is in the process of hiring new IT security specialists and diverting resources to reinforce systems, Goodman added.

The new Leon Snead & Company audit covered the FEC's 2013 fiscal year, which ended Sept. 30, meaning it did not materially address the October's Chinese hacking incident.

But the report did acknowledge that an "intrusion was detected on the agency’s website in early fiscal year 2014" following a less severe hacking incident in August, which forced the FEC to temporarily disable portions of The agency's website contains millions of records that provide the public with information about federal elections and the finances of candidates, committees and parties participating in them.

An FEC spokeswoman referred questions about the new audit to the agency's commissioners, who couldn't immediately be reached for comment.

White House officials, who have this month refused comment on the FEC's problems, also could not immediately be reached.


This piece was reprinted by Truthout with permission or license. It may not be reproduced in any form without permission or license from the source.

Dave Levinthal

Dave Levinthal joined the Center for Public Integrity in 2013 to help lead its Consider the Source project investigating the influence of money in politics. For two years prior to joining the Center, Dave reported on campaign finance and lobbying issues for Politico and co-wrote the daily Politico Influence column. He also edited from 2009 to 2011, where he led coverage that won the Online News Association’s top honors in 2011 for best topical reporting and blogging and was a finalist the same year for the Scripps Howard Foundation’s Distinguished Service to the First Amendment award. From 2003 to 2009, Dave worked for The Dallas Morning News, primarily covering Dallas City Hall also reporting on national elections and aviation security. From 2000 to 2002, he covered the New Hampshire Statehouse for The Eagle-Tribune of Lawrence, Mass. A native of Buffalo, N.Y., Dave graduated from Syracuse University with degrees in newspaper journalism and political philosophy and edited The Daily Orange. He is also a two-time winner (2007 and 2010) of Canada’s Northern Lights Award for his travel writing about the arctic.

Hide Comments

blog comments powered by Disqus