An official in the Transportation Department’s Office of Inspector General says DOT websites launched to provide the public with information about Recovery Act funding and projects are vulnerable to cyber attacks.
DOT officials launched an audit from December 2009 to July 2010 to examine if DOT’s recovery websites, which track and disseminate the $48 billion in funds awarded for DOT’s projects, were properly configured to minimize the risk of a cyber attack.
The report concludes DOT’s websites face both high- and low-risk cyber threats.
The vulnerabilities exist “because the websites, servers, and database systems are not configured in compliance with DOT’s configuration security standards,” the report finds. “As a result, the systems are vulnerable to cyber attacks, which could not only undermine DOT’s [Recovery Act} reporting, but also interrupt DOT’s business operations.”
Most of the high-risk vulnerabilities are associated with eight of DOT’s 13 sites.
“These vulnerable websites could put users’ computers in danger by allowing hackers to gain access to the users’ computer and their personal information, thus diminishing the public’s trust in the agency.”
In some instances, computer servers, which host Recovery Act data, were at risk, open to hackers who could unleash a virus onto DOT’s network.
“By exploiting the high-risk vulnerabilities, hackers could attack the computers used by the public to access the websites and gain access to sensitive data,” the report finds, “such as password files stored on servers, take control of a server and attack other computers on DOT’s networks.”
The inspector general’s office has already briefed transportation authorities on fixes for the security risks.
In August, DOT’s inspector general said the Federal Aviation Administration’s computer systems were vulnerable to cyber attacks, spurring Congress to urge FAA to make the necessary security fixes.