It's a nightmare scenario: A hacker accesses e-mails in U.S. Securities and Exchange Commission computers and splashes them across the Internet, revealing an inquiry into a company that shakes investor confidence before the probe is complete.
Such an attack has never happened at the SEC, but computer experts say it could if the agency fails to tighten security.
The SEC, an investor protection agency that demands tight internal controls from the companies it oversees, was recently criticized by congressional investigators for not having its own house in order when it comes to cyber security.
The Government Accountability Office (GAO) said last month the SEC had failed to limit remote access to its servers, establish controls over passwords, securely configure all network devices, and adopt security monitoring procedures.
A successful hacker could use nonpublic information to make trouble for a targeted company or rival.
It wouldn't necessarily be manipulation of data by a hacker that would do the most harm, said Paul Kurtz, a former White House cyber security official. It would be to expose information to damage another firm.
The SEC relies on computer systems to oversee the activities of stock exchanges, brokerage firms, clearing agencies and some 12,000 companies. It collects more than 600,000 public documents annually from companies, as well as confidential information in connection with enforcement cases.
The GAO staff spent five months last year assessing security at the agency's headquarters, a relatively new building in Washington D.C., and at its computer facility in nearby Alexandria, Virginia. The SEC also has 11 regional and district offices, which were not examined.
Overall, the SEC has not effectively implemented information security controls to properly protect the confidentiality, integrity, and availability of its financial and sensitive information and information systems, the GAO concluded.
The investigators said the SEC has made little progress in tightening internal controls to protect its information.
If a hacker successfully entered some of the SEC computers, it's likely they (the agency) may not be able to detect it, said Gregory Wilshusen, lead author of the GAO report.
There are no reports of an outsider burrowing into the SEC's computer systems, but there have been other incidents that make experts uneasy.
Last year, the SEC charged an Estonian financial services firm and two of its employees with fraud for allegedly hacking into Business Wire and stealing corporate press release data that had not yet been made public. The pair made at least $7.8 million by strategically timing long, short and options trades based on the stolen information, according to the SEC.
Corey Booth, director of the SEC's office of information technology, said there needs to be a cultural shift in the way the agency's more than 3,800 employees handle passwords, share information and develop systems at the agency.
At the end of day, it's about people who are in possession of data, Booth said. We are fully committed to cleaning this stuff up by the end of this fiscal year on September 30.
Kurtz, who is now executive director of the Cyber Security Industry Alliance, an information security advocacy group, agreed with Booth that SEC employees must help guard systems.
This is not all about technology (such as) 'Do you have the right firewall and the right authentication technology?'
In its March report, the GAO said the SEC corrected eight of 51 weaknesses previously identified by the GAO. But the GAO audit also uncovered 15 new weaknesses that reflect the SEC's failure to develop a comprehensive security program.
GAO investigators said the SEC increased security personnel and created a backup data center, but has not yet developed procedures to assess risks and analyze security incidents.
These controls are essential to ensure that financial information is adequately protected from inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction, the GAO investigators said.
SEC Chairman Christopher Cox, who inherited the agency's computer shortcomings when he took over in August, has said information security is one of his top priorities in 2006 and steps have been taken on his watch to improve data security.
For instance, the SEC has a new incident response program and a disaster recovery procedure for a dozen major computer applications using the SEC's back-up data center.
My feeling is that he (Cox) is on the right track, and that with increased technology, the SEC will be able to achieve the important objectives of the GAO's report, said Harvey Pitt, a former SEC chairman who is now a consultant.
Early next month GAO staff will start another round of tests to see how much progress has been made.