FCC invests $10M in new network security but leaves backdoor unlocked

In August of 2011, while in the middle of upgrading its network security monitoring, the Federal Communications Commission discovered it had already been hacked. Over the next month, the commission's IT staff and outside contractors worked to identify the source of the breach, finding an unspecified number of PCs infected with backdoor malware.

After pulling the infected systems from the network, the FCC determined it needed to do something dramatic to fix the significant security holes in its internal networks that allowed the malware in. The organization began pulling together a $10 million "Enhanced Secured Network" project to accomplish that.

But things did not go well with ESN. In January, a little less than a year after the FCC presented its plan of action to the House and Senate's respective Appropriations Committees, a Government Accountability Office audit of the project, released publicly last week, found that the FCC essentially dumped that $10 million in a hole. The ESN effort failed to properly implement the fixes, and it left software and systems put in place misconfigured—even failing to take advantage of all the features of the malware protection the commission had selected, leaving its workstations still vulnerable to attack. In fact, the full extent of the problems is so bad the GAO's entire findings have been restricted to limited distribution.