GAO Testimony: "Security Breaches at Federal Buildings in Atlanta, Georgia"
|
>>> The General Accounting Office--the investigative arm of Congress--typically releases several reports, correspondences, and/or testimonies each business day. At least 99 percent of the time, these documents are available online, as well as in paper form. But the following report wasn't published electronically, so The Memory Hole has scanned and posted it. |
|
[cover] GAO Testimony SECURITY BREACHES AT FEDERAL BUILDINGS IN ATLANTA, GEORGIA
--------------------------------------------------------- [page 1] Mr. Chairman and Members of the Committee: We are here today to discuss the results of our test of security measures at federal office buildings in the Atlanta, Georgia, area. Specifically, you asked that special agents of the Office of Special Investigations, acting in an undercover capacity, attempt to gain unauthorized access to secure facilities in such a manner that weapons, explosives, chemical/biological agents, listening devices, or other hazardous material could have been brought into these facilities. During February and March of 2002, our agents breached the security at four of the federal office buildings that we tested in the Atlanta area by entering these buildings without proper authority, carrying a briefcase or package and bypassing the magnetometers and X-ray machines. They were able to move freely and extensively throughout these facilities during both day and evening hours and were not challenged by anyone. Our undercover agents could have carried in weapons, listening devices, explosives, chemical/biological agents, or other such items. All buildings required screening of visitors and valises, for example, briefcases and baggage, which included the use of magnetometers and X-ray machines at security checkpoints. The buildings required the wearing of either a blue pass or a yellow pass for identification of employees working in these buildings, which allowed them to bypass the magnetometers and X-ray machines. The blue pass could also have an additional feature added to it that would denote the bearer as being authorized to carry firearms. All passes included photo identification and had holograms on them, but were worn inside plastic pockets that can partially obscure the hologram as well as the bearer's photograph.
In early March, using a pretext for gaining access, an agent who had no building pass entered one of the buildings carrying a briefcase, bypassing the magnetometer and X-ray machines. He met with the General Service Administration (GSA) employee responsible for issuing building passes, and obtained a yellow building pass and an after-hours access code for that building. The next day the same agent entered another building carrying a briefcase. He showed his yellow pass and stated that he wanted to obtain a blue pass for that building and bypassed the magnetometer and X-ray machines based on the strength of the yellow pass. He then met with a GSA contract employee responsible for issuing building passes and, based solely on the -------------------------------- [page 2] strength of having a yellow pass, obtained a blue building pass and an after-hours access code for two of the subject buildings. In addition, this agent was able to obtain a second feature on the blue building pass that identified him as a law enforcement officer and permitted him to carry a firearm in those buildings. Finally, through the use of another pretext, the same agent obtained a security guard's after-hours access code for one of the buildings. He successfully used the guard's access code and the access code given to him by the GSA employee to enter this building during the evening and was thereafter able to move freely about the building without being challenged. We then counterfeited both the yellow and blue building passes, using commercially available software, inserting in them the fictitious names used by other undercover agents and their photographs in preparation for our attempt as a group to breach the security at these facilities. The counterfeit passes contained printed holograms, not actual holograms. Had anyone made a physical inspection of our counterfeited passes, they should have been detected as being bogus. Later in March, other agents using counterfeit yellow and blue building passes entered three of the buildings bypassing the magnetometers and X-ray machines. One of these agents carried a briefcase. These same agents also successfully entered these same buildings in the evening utilizing the access codes that were previously acquired. An agent, using a counterfeit yellow building pass, met with the GSA contract employee responsible for issuing building passes for two of the buildings. Based on the strength of the counterfeit yellow pass and a fictitious request form, the agent was issued a blue building pass and an access code number for evening entry after the security checkpoints were closed. Additionally, one agent wore another agent's legitimate blue pass into one of the buildings, crossed over into another building through a tunnel, and was never challenged. Two agents then drove to another federal facility and, based on the strength of a legitimate yellow pass, a counterfeit yellow pass, and a pretext, gained admittance to that building bypassing the magnetometer and X-ray machines. Finally, after we completed our test of the security for these buildings, we met with officials from the U.S. Attorney's Office, U.S. Marshals Service, GSA, and Federal Protective Service and briefed them on the results of the ----------------------------------------- [page 3] security tests, identifying the weaknesses found. Subsequently, the Federal Protective Service issued a security bulletin which addressed the weaknesses we identified. In closing, I'd like to add that last week GAO's Chief Technologist testified at a hearing before the Subcommittee on Technology and Procurement Policy, House Committee on Government Reform, concerning security technologies to protect federal facilities.[1] As part of that testimony it was acknowledged that effective security also entails having a well-trained staff that follows and enforces policies and procedures. It was noted that breaches in security resulting from human error are more likely to occur if personnel do not understand the risks and the policies that are put in place to mitigate them. Good training is essential to successfully implementing policies by ensuring that personnel exercise good judgment in following security procedures. Cited as an example was our previous work where we breached the security at 19 federal agencies and 2 airports.[2] This case further exemplifies this point. Further, the Federal Protective Service bulletin reinforces this point. Mr. Chairman, that completes my prepared statement. We would be happy to respond to any questions you or other members of the Committee may have at this time.
1. See National Preparedness: Technology to Secure Federal Buildings, U.S. GAO-02-481T (April 25, 2002). 2. See Breaches at Federal Buildings and Airports, U.S. GAO/T-OSI-00-10 (May 25, 2000). |
|
front
page |
newest additions | index
+ search |
| copyright 2002 Russ Kick |