Increasing security breaches worry Energy IG

Inspector General Gregory Friedman hopes to lock down security on the Energy Department's interconnected computer networks, after auditors called 132 security breaches serious enough to report to law enforcement in fiscal 2006 — 22 percent more than in the prior year.


The department's 69 organizations support as many as eight separate intrusion and analysis groups, which do not use a common incident-reporting format and do not always retain crucial information about cyberattacks, the IG said in a report released today. Some sites opt out of monitoring their networks or even disable the sensor equipment.


Energy has found such cyber weaknesses before but "does not specifically require that incidents be reported to law enforcement or counterintelligence officials," the report said. The IG recommends:



  • Developing and implementing an enterprisewide cyber incident management strategy

  • Taking a consistent approach to developing or revising policies across all Energy organizations.

  • Finding a way to periodically test and evaluate the department's overall performance in cybersecurity incidents.


The Office of the Chief Information Officer's Computer Incident Advisory Capability has been watching cybersecurity and providing computer forensics services to the department since 1989, at a cost of $6.8 million in fiscal 2006, the IG report said. Nevertheless, other groups, such as the National Nuclear Security Administration's Information Assurance Response Center and smaller organizations at various Energy sites, compete with CIAC for authority and funding. 


The CIO in 2006 called for "an integrated approach to management of cyber incidents." The department's most recent guidance, however, does not cover communications and coordination in "Incident Management Guidance," known as CS-9. A draft replacement known as "Technical and Management Requirement 9" does not address the duplication of security efforts, the IG said. Plans to revitalize policies within 60 days of the February 2006 acceptance of a similar report have yet to be approved.


The IG report said it took 10 months to learn that a hacker had stolen the names and Social Security numbers of 1,500 Energy employees from an NNSA site in 2005. Seven of 11 field sites audited, three federal and eight contractor-operated, have not identified which of their systems store such personal information or evaluated the risks of exposing it.


Energy's CIO will now draft a formal departmental cybersecurity strategy by March 31, according to the report.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.