The Federal Election Commission’s computer and IT security continues to suffer from “significant deficiencies,” and the agency remains at “high risk,” according to a new audit of the agency’s operations. “FEC’s information and information systems have serious internal control vulnerabilities and have been penetrated at the highest levels of the agency, while FEC continues to remain at high risk for future network intrusions,” independent auditor Leon Snead & Company of Rockville, Md., writes. The audit, released today, comes less than two weeks after a Center for Public Integrity investigation that revealed Chinese hackers infiltrated the FEC’s IT systems during the initial days of October’s government shutdown — an incursion that the agency’s new leadership has vowed to swiftly address. The Chinese hacking attack is believed by FEC leaders and Department of Homeland Security officials to be the most serious act of sabotage in the agency’s 38-year history.
Leon Snead & Company’s new 34-page audit further reveals separate security breaches it discovered this year while auditing the FEC, which has in recent years endured shrinking budgets and staffing levels and historically high levels of gridlock.
The most notable security breach came in May 2012, when an unspecified “advanced persistent threat” broke into an unnamed FEC commissioner’s computer user account.
For eight months, the report states, the commissioner’s computer contained malware that gave hackers “potential” access to a variety of sensitive documents, including subpoenas, unpublicized investigations into political groups and “sensitive personal identifiable information.”
Auditors acknowledge that they were unable to determine whether such material “was actually accessed by the intrusion,” but “the opportunity did exist,” they wrote.
In another incident, an FEC employee gained “unauthorized access to personnel-related files, labor management files and administrative law files,” auditors write.