Case Study Review: U.S. DOT ARRA Website Vulnerabilities
Executive Summary The United States experienced an economic shock, commonly referred to as the “Great Recession”, in 2008 that resulted in the most job losses in any year since WWII. Payrolls plummeted, home values dove, and slumps were experienced in almost every sector of the economy. The administration of President Bush had agreed to provide federal loans to prop up the automobile industry and President-elect Obama inherited an economy in collapse. In 2009, the newly elected President Obama signed the American Recovery and Reinvestment Act (ARRA) into law. The Act provided stimulus spending in infrastructure, health, energy, education, unemployment insurance, social welfare programs, and many other areas of government interest. To address concerns from political opposition to that Act, ARRA included strong provisions governing transparency of the spending of taxpayer money. ARRA funds would be dispensed with strong requirements that taxpayers be able to monitor how their tax money is being spent. A major beneficiary of the stimulus funds was the Department of Transportation. To address the transparency issue, the department established a number of websites supported by servers and databases that the public could access to monitor the spending of their tax dollars. The DOT’s expanded web interface inherently exposed it to greater risk. This case study reviews an audit of that risk, the department’s shortfalls in mitigating the risk, its systems that may have contributed to those failures, and this reviewer’s recommended solutions.
Case Study Review
Situation
That legislation required unprecedented levels of transparency and accountability for the billions of tax dollars that would be spent on various programs including infrastructure, research, education, arts, and sciences.
For infrastructure spending, the U.S. Department of Transportation (USDOT) was to receive a substantial amount of ARRA funds. Over 48 billion dollars were earmarked for 7 operating administrations (OAs) within the department. To meet the transparency requirements of ARRA, the USDOT and its OAs set up various websites to provide taxpayers and other stakeholders with ARRA-related spending information. Given the inherent nature of risk in the Web, the launching of these websites increased the USDOT’s potential or security risks. The Office of Inspector General of the USDOT conducted an audit to determine if the department and its OAs websites were developed with best practices for risk mitigation. Of particular concern was the nature of these websites. USDOT’s public information websites are developed for the public to access the site to get information about how the USDOT is spending ARRA funds. If hackers are able to gain access to these sites, there is a risk that the hackers could use the site to gain access to user’s computers; that is, the U.S. taxpayer user’s computer. Failure to adequately protect this information would erode the public’s confidence in this important U.S. government agency. Yet worse, failure to protect this information could undermine the Act’s purpose and the U.S. government’s initiatives in general.
Key Findings The USDOT OA’s websites and databases contained 1,822 high-risk vulnerabilities. The Inspector General described high-risk vulnerabilities as those in which a hacker may be able access a public user’s computer and personal information and may be able to take control of servers to
