Entitled "Federal Records: National Archives and Selected Agencies Need to Strengthen E-Mail Management," the new report comes in the wake of the long battle over thousands of missing e-mails from White House officials that the Bush Administration has been unable or unwilling to locate. Many of those e-mails were sent and received during the run-up to the invasion of Iraq in March 2003.
Among the report's findings is the revelation that employees at the Dept. of Homeland Security have access to Web-based e-mail services, such as Gmail and Hotmail, from government computers. Such e-mail systems are often the conduit for various forms of malware including viruses, phishing scams, and the like.
"Although employees can currently access Web-based and Internet-accessible private e-mail systems," the report states, "the department is taking steps to restrict or remove this access."
"The entire apocalypse-in-a-box that is the Internet is allowed to tunnel through all of Homeland Security's security," writes government cyber-security expert David Gewirtz, in an analysis based on the GAO report, "because employees can open the Pandora's box of trouble that's everyone's e-mail account on the Net."
Calling this "a whopper of a security flaw," Gewirtz adds, "Osama bin Hacker can just as easily send a virus or a trojan into the Department of Homeland Security's 'secured' private network as he can to you or me."
The National Archives is charged with preserving and documenting government and historical records, including documents such as the the original copies of the Declaration of Independence, the Constitution, and the Bill of Rights as well as electronic records that preserve the day-to-day functioning of government and communications by senior officials. "Under the Federal Records Act, NARA is given general oversight responsibilities for records management as well as general responsibilities for archiving," the GAO report explains.
However, according to the report, "NARA has conducted no inspections of agency records management programs since 2000." In addition, "NARA has not consistently reported details on records management problems or recommended practices that were discovered as a result of its studies."
The GAO recommends that NARA implement a more active approach to its oversight responsibilities in order to "provide adequate assurance that agencies are following NARA guidance," including designating more explicitly which digital records (including staff e-mails) are officially "federal records" and thus need preserving.
Last month, a U.S. District Court judge issued an opinion in a lawsuit filed by the Citizens for Responsibility and Ethics in Washington over the missing executive-branch e-mails, ruling that the White House Office of Administration doesn't have to make public internal documents examining the potential disappearance of the e-mails. The Office of Administration isn't a "federal agency" and thus is not subject to the Freedom of Information Act (FOIA), the judge found. Separate legal attempts to recover the missing messages themselves continue.
The GAO audit was provided to the United States House Committee on Oversight and Government Reform.