A United States Geological Survey employee infected the scientific agency’s networks with malware from pornography sites, leading the Department of Interior watchdog to recommended the USGS strengthen internet security protocols.
The Agency’s inspector general traced the malicious software back to a single USGS employee, who reportedly used a government-issued computer to visit some 9,000 porn sites, according to a report published October 17.
Many of the prohibited pages were linked to Russian websites containing malware, which was ultimately downloaded to the employee’s computer and used to infiltrate USGS networks, auditors found. The investigation found the employee saved much of the pornographic material on an unauthorized USB drive and personal Android cell phone, both of which were connected to their computer against agency protocols.
The employee’s cell phone was likewise infected with malware.
“Our digital forensic examination revealed that [the employee] had an extensive history of visiting adult pornography websites” that hosted malware, the IG wrote. “The malware was downloaded to [the employee’s] government laptop, which then exploited the USGS’ network.”
As Gizmodo reports:
According to U.S. Department of Interior rules, employees can’t use work systems to watch or share porn and are also not supposed to connect personal devices to work devices or networks. The employee allegedly said that he had been given the yearly IT security training and agreed to the U.S. Department of the Interior’s IT Rules of Behavior “several years” before the inspector general’s findings. In other words, dude should have known better.
Auditors recommended USGS more closely monitor employees’ web browsing and enforce blacklists of prohibited websites. They said proactively identifying and blocking adult websites “will likely enhance preventative countermeasures.”
They also advised the agency to strengthen its IT security policies to stop employees from connecting personal devices to government computers, which could propagate malware on federal networks. USGS guidelines currently prohibit employees from doing so, but the agency hasn’t disabled such connections on government-issued devices.