The Inspector General (IG) of the Interior Department (DoI) told a House panel on Wednesday that an audit it did of the department’s information technology controls found inadequate defense-in-depth measures at three bureaus and nearly 3,000 “critical and high-risk vulnerabilities in hundreds of publicly accessible computers” that these bureaus operate.iStock Cyber Lock

“If exploited, these vulnerabilities would allow a remote hacker to take control of publicly accessible computers or render them unavailable,” Mary Kendall, the IG, said at a joint subcommittee meeting of the House Oversight and Government Reform Committee. “More troubling, we found that a remote attacker could then use a compromised computer to attack the department’s internal or nonpublic computer networks.”

One of the Interior Department’s data centers was hacked as part of the recently disclosed cyber breach of the federal Office of Personnel Management. The DoI center houses data records for OPM. DoI’s center was hacked through OPM credential’s that were compromised, Sylvia Burns, the chief information officer at DoI, told the panel.

Based on a report by the FBI and Department of Homeland Security, which have been jointly investigating the breach, there is no evidence that DoI data was stolen, Burns said.

The IG report hasn’t been publicly released but was recently briefed to certain congressional committees.

Kendall said the lax IT security at DoI “occurred because the department did not effectively monitor its publicly accessible systems to ensure they were free of vulnerabilities, or isolate its publicly accessible systems from its internal computer networks to limit the potential adverse effects of a successful cyber attack.”

Burns said that the department is moving to centralize its data centers. She also said that as of June 26 the department has implemented two-factor authentication for all of its privileged users. That authentication includes the use of PIV credentials, she said.

“This protects us from intruders who can compromise usernames and passwords to gain access to our network,” Burns said.