Audits: Systems Used to Track US Debt VulnerableGAO Audits Find Systems Treasury Department Uses Have Security Flaws
The computer systems the U.S. Department of the Treasury uses to track the nation's debt have serious security flaws that could allow unauthorized access to a wealth of federal data, according to a pair of audits released this week by the Government Accountability Office.
The audits are part of an annual review of the federal deficit that the GAO undertakes. As of Sept. 30, 2018, U.S. debt stood at about $21.5 trillion.
To keep track of all that money, including what the federal government owes to its creditors, the Treasury Department relies on IT systems at various agencies, including the Bureau of the Fiscal Service and the Federal Reserve Banks.
Within those two agencies, GAO inspectors found a combination of new and old security flaws that could provide unauthorized access to these various systems. The flaws included issues with configuration management and faulty access controls, which could cause disruptions and impede the Treasury's Department's ability to oversee and manage the national debt.
While the specific issues of these security flaws remain confidential, the GAO recommends that the Bureau of the Fiscal Service and the Federal Reserve Banks immediately begin addressing them.
When designed correctly, configuration management prevents unauthorized or untested changes to the infrastructure, including the networks, operations systems and application, according to the GAO. Proper configuration management also ensures that any changes that are made are tested before being deployed, which can reduce data loss and system downtime.
The audits note that the two agencies are in early stages of developing role-based access controls within the mainframe environment.
A Huge Task
Trying to fix the myriad of systems, especially mainframes, which make up the Treasury Department's infrastructure is a huge task, says Mike Weber, vice president of Coalfire Labs, which is part of security consulting firm Coalfire.
"It should be noted that this isn't an easy lift - rolling out third-party solutions or revising the security model of core applications can be daunting, and I'd imagine the code base behind systems that manage our federal debt are complex beyond my wildest dreams," Weber tells Information Security Media Group. "Accordingly, I can understand how this can be a significant undertaking and could take quite a bit of time to roll out. The report doesn't indicate whether this is part of the initiative to improve their cybersecurity posture or not, but it certainly should be considered."
As part of its inspection, the GAO used an independent public accounting firm to assist with testing the various systems that the Treasury Department uses, according to the audits released Wednesday.
Of the two reports, the one concerning the IT systems of the Federal Reserve Banks was the less severe. The audit only found one issue related to configuration management within one system used by the banks.
That audit does note, however, that even one issue could have far-reaching implications.
In a letter to the Board of Governors of the Federal Reserve System, the GAO notes: "These new and continuing control deficiencies increase the risk of unauthorized access to, modification of, or disclosure of sensitive data and programs. The potential effect of these new and continuing deficiencies on the Schedule of Federal Debt financial reporting for fiscal year 2018 was mitigated primarily by Fiscal Service's compensating management and reconciliation controls to detect potential misstatements of the Schedule of Federal Debt."
In a response, the Board of Governors notes: "The agency takes control deficiencies seriously, and FRB management is currently in the process of addressing the new and continuing information system general control deficiencies GAO identified during its fiscal year 2018 audit."
The GAO report sent to the Bureau of the Fiscal Service, a unit of the Treasury Department found eight new issues within the service's IT systems. Two of the flaws related to access controls, while six stemmed from configuration management issues.
Besides these new issues with access and configuration management, the GAO report notes that the Bureau of Fiscal Services is still working on security issues found during a similar audit a year earlier.
Specifically, the audit found that nine of the previous 25 recommendations were still being fixed, and there are another 16 new recommendations related to security management, access controls, configuration management and segregation of duties that should be addressed.
In its response, the Bureau of Fiscal Service said "it continues to work to address the 16 prior year recommendations that remained open as of September 30, 2018, and has established plans to address the ... new recommendations made in this year's report."
Coalfire's Weber says that because the GAO found issues two years in a row with the Bureau of the Fiscal Service, the government needs a new approach to tackling system-level security issues.
"This repeat finding is very significant, and I can only hope that the underlying reasons behind this failure are being addressed in their initiatives to improve their cybersecurity posture."