Weak Internet Security Leaves FEC Vulnerable to Hackers.
Wall Street Journal, June 10, 2015
Brody Mullins And Rebecca Ballhaus
FEC OIG Report 2014 Management Challenges Includes IG Statement and Managements Response
Weak Internet Security Leaves U.S. Elections Agency Vulnerable to Hackers, Reports Find Internal audits say Federal Election Commission hasn't implemented recommended fixes
WASHINGTON-Weak Internet-security measures at the Federal Election Commission could impair the agency's ability to carry out one of its primary missions: making information about who is funding U.S. elections available to the public.
The FEC hasn't implemented improvements that were recommended after a series of attacks on its website-including at least one successful hack-leaving it vulnerable to future breaches, according to three previously unreported internal reports.
It took the agency weeks to get its campaign-finance disclosure system fully back up to speed after an attack by hackers in China disrupted its operation during the October 2013 government shutdown, when all of the agency's 335 employees had been furloughed.
The FEC said no private information about donors, voters or other individuals was obtained during the hack. But weaknesses in FEC systems, which one report said the agency had known about for more than a decade, raise questions about the security of the large amount of personal financial data the agency holds. That data includes bank account information that the FEC has collected as part of investigations into possible violations of campaign-finance law.
The FEC's troubles fit a broader pattern in which the government has struggled to ward off hacking. Last week, U.S. officials said they suspected that hackers in China stole the personal records of as many as four million people in a breach of Office of Personnel Management computers. Russian hackers also are suspected in a large, long-running breach of State Department computers.
The nonpartisan Center for Responsive Politics, which analyzes data from the FEC's website, said the 2013 hack hurt its ability to disclose information about campaign donors, given how heavily it relies on agency data. "It really highlighted how vulnerable their data systems were," said CRP executive director Sheila Krumholz.
After the hack, there was a four-day period during which campaign-finance disclosures were difficult to navigate, said FEC Chief Information Officer Alec Palmer. The data wasn't removed from the site, he said, although he acknowledged the system wasn't fully functional for some weeks.
The three internal reviews were conducted late last year and the reports are available on the agency's website.
"Due to a lack of proper planning, FEC has struggled in prior years to implement corrective actions that address the vulnerabilities to FEC's information and information systems," said a report prepared by an independent auditor, Leon Snead & Co., dated Nov. 17, 2014. The report said the agency's information systems "remain at risk."
The FEC's chief financial officer, in a written statement that accompanied the auditor's report, said there was "a significant deficiency" in the agency's information technology security controls.
Among the FEC's other shortcomings: it doesn't adhere to government-wide standards for data security and lacks a full-time employee to oversee IT security.
The reports said the FEC began making significant improvements to its IT security last year, including working with the Department of Homeland Security to assess the vulnerability of its networks.
Last year, the FEC's commissioners voted unanimously to increase its IT budget by $2.6 million, a portion of which helped update the agency's servers. Mr. Palmer, disputing the report, said the agency has improved its security every year.
Republican FEC Commissioner Lee Goodman praised the progress the agency has made on IT security, and said the FEC-like many government agencies-is the target of hacking attempts on a daily basis. "During the past 18 months, commissioners have worked together to improve the agency's IT security," he said in an interview.
Another report by the agency's inspector general criticized the FEC for not hiring a full-time chief information officer. Mr. Palmer serves as both staff director and CIO. In a follow-up report released in March 2015, the inspector general's office said it "continues to be concerned" with the lack of a full-time employee.
Democratic FEC Commissioner Ellen Weintraub said she supports the recommendation in the inspector general's report. "I mean no disrespect to the incumbent when I say we really need to have two people doing two jobs so that both jobs are done in the best possible manner," she said in an interview.
The inspector general's report said the IT breaches "could possibly have been prevented or minimized if the agency had adopted and aligned with the governmentwide security standards applicable" to the FEC.
Write to Brody Mullins at firstname.lastname@example.org and Rebecca Ballhaus at Rebecca.Ballhaus@wsj.com