Audit: Stimulus websites unprotected

Administration websites created to track stimulus spending are putting users at risk of cyber-attacks on their personal computers, according to an audit by the Transportation Department expected to be released this week. 

The Hill obtained an internal Department of Transportation (DOT) report that describes the audit. It shows that DOT's websites contain many vulnerabilities, including high-risk ones that could interrupt not just stimulus-related activities, but also the everyday functions of the department. The websites could also put users at risk.

DOT created a number of websites related to the stimulus law, with dot.gov/recovery serving as the main portal. The sites keep track of the infrastructure projects funded by the Recovery Act.  

The audit says 13 stimulus websites at DOT are plagued with serious security risks; three of those sites publish information that is accessed by the public.

People who use DOT stimulus websites are giving hackers a chance to access sensitive data, including passwords, according to the audit. The websites also give hackers an in-road to attack government networks.

The memo also says the Transportation Department, which received $48 million in stimulus funding, should have minded its responsibilities to make public websites safer for users. The risks arose because the department failed to comply with existing security standards.

"DOT management needs to take immediate corrective actions to minimize the risk of cyber-attacks on these systems," the report says.

The report seems likely to raise eyebrows on Capitol Hill. Republican lawmakers and candidates have blasted the stimulus law, which they say was full of wasteful spending.

Rep. Darrell Issa (R-Calif.), the top GOP member of the House Oversight Committee, has not been shy about his intention to prioritize cybersecurity issues within the bureaucracy. He is the most likely chairman of the Oversight panel if Republicans win control of the House in the midterm elections. 

DOT conducted an audit between December and June to see if its stimulus-related websites were configured to minimize the risk of cyber-attacks. 

"By exploiting the high-risk vulnerabilities, hackers could attack the computers used by the public to access the Websites and gain access to sensitive data, such as password files stored on servers, take control of a server and attack other computers on DOT's networks," the report says.

Transparency requirements in the stimulus law prompted departments to create websites collecting and displaying information about the progress of stimulus spending.

The report memo was from Earl Hedges, acting assistant inspector general for financial and information technology at the Transportation Department. It was sent to another DOT official on Friday.