Aware of Risks, Agency Ignored Warnings

Tuesday, December 17, 2013 @ 08:12 AM gHale

What is worse, not knowing you have a security weakness and not doing anything about it or knowing you have a security issue and not doing anything about it? The answer is both are worse.

One federal agency knew it had a weakness with its cyber security, but they did nothing about it and ended up hacked to the point where private information of employees, their dependents and contractors ended up compromised, federal auditors said.

In a report released Wednesday, Department of Energy (DoE) Inspector General Gregory Friedman said the DoE breach last summer affected over 104,000 people, providing access to names, Social Security numbers, dates of birth and other information from a human-resources network.

RELATED STORIES
IG: DHS’ Own Cyber Plan Lacking
Feds’ Security Practices Lacking
Data Breaches Go Undisclosed
Security: A Strategic Voice

The end result was confusion over who was in charge of making the fixes, poor communication among responsible officials and pressure to keep systems running to maintain productivity all contributed to the problems, according to the report. Sound familiar?

DoE is not the first agency to have issues with cyber security as the Inspector General had issues with the Department of Homeland Security for having a difficult time protecting itself.

The agency for months failed to patch its systems regularly against known cyber security threats or scan its networks consistently, in real time, to keep out digital malefactors, according to a report released by the DHS inspector general.

In fact, the federal government as a whole is failing to lead when it comes to cyber security best practices, said an advisory council to President Obama. The council recommended a real-time threat intelligence-sharing among private-sector entities.

A new, unclassified report to the Obama administration, the President’s Council of Advisors On Science and Technology (PCA ST) said the federal government must set the tone by fixing its own security processes.

Along those lines, auditors found DoE did not implement accepted standards for protecting its networks and failed to ensure its security controls were working effectively in many cases.

DoE has been hacked three times since May 2011, according to auditors. DoE acknowledged two incidents this year alone, telling employees in an August memo it would offer one year of free credit monitoring for impacted personnel and assistance in protecting them from identity theft.

The inspector general said those efforts, along with paid leave allowed for individuals needing to correct issues associated with the breaches, could cost the government up to $3.7 million, all of which could have been avoided.

The report said the department used complete Social Security numbers contrary to federal guidance, allowed direct Internet access to a highly sensitive system without adequate protections and failed to take action on known network vulnerabilities.

“In spite of a number of early warning signs that certain personnel-related information systems were at risk, the department had not taken action necessary to protect the [information],” Friedman said in a summary.

Despite the recent breaches, the department said in August no classified government information ended up compromised. However, hackers could use stolen employee data to access other agency systems, potentially leading to future intrusions.



Leave a Reply

You must be logged in to post a comment.