WASHINGTON (Reuters) - Lax security left the U.S. Treasury’s computer system for tracking overseas threats to America’s financial system vulnerable to hackers, according to a government audit prepared in late 2014 and obtained by Reuters.
The Treasury Foreign Intelligence Network is used by U.S. spy agencies to share top-secret information and to keep tabs on the impact of sanctions against countries such as Iran and Russia, as well as militant groups like Hezbollah.
The report, prepared in September 2014, gave no indication the foreign intelligence network had been hacked. But auditors found up to 29 percent of Treasury's devices connected to the intelligence network did not meet federal cybersecurity standards. (bit.ly/1IgUM5K)
“As a result ... devices may not be protected with the most secure recommended configurations, increasing the risk of being compromised,” the Treasury’s Office of Inspector General, or OIG, said.
A copy of the audit was obtained on Thursday through a U.S. Freedom of Information Act request. A Treasury official said the OIG had identified a “minor issue on a very secure system.”
“Since the release of the audit, Treasury has remedied this matter,” the official said.
The report comes to light following the revelation of the theft by hackers of millions of U.S. government personnel files. America’s intelligence chief has said that hack was linked to China, although U.S. officials say the government does not plan to publicly blame Beijing.
Intelligence analysts use the Treasury’s system to identify overseas threats to America’s economy and finances. Treasury Secretary Jack Lew said last year the prospect of a cyber attack on the U.S. financial system was a “real threat” to national security.
The Treasury’s intelligence system is also used to assess the economic disruption caused by U.S. sanctions on targeted countries, groups and individuals.
In a controversial deal that faces fierce opposition in Congress, the Obama administration has agreed to ease sanctions on Iran if Tehran scales back its nuclear program.
Treasury originally designed its foreign intelligence network in 2004 to be used by about 30 officials but built up the system to accommodate more users as America stepped up its global campaign against al Qaeda and other militant groups.
Between March and May of 2014, OIG auditors conducting an annual review of the Treasury’s cybersecurity found some computers using Microsoft Corp’s (MSFT.O) Windows had not been properly configured.
That meant network engineers would have trouble updating security software for the sensitive network’s computers, servers and printers, the audit said.This was not the first time auditors had found the top secret Treasury system lacking. In a 2008 audit, the OIG found the Treasury Foreign Intelligence Network was slow in upgrading a system that had relied on “antiquated hardware and software.”
In a letter attached to the 2014 report, the Treasury’s top intelligence officer, S. Leslie Ireland, said she agreed with the OIG’s findings. Treasury officials were already working to close the security gap and planned to finish that job by April 2015, about six months after the audit, Ireland said.
Reporting by Jason Lange; Additional reporting Yeganeh Torbati; Editing by Kevin Krolicki and Lisa Shumaker