Holes in the Department of Energy’s security system leave the personal information of thousands of past and present federal employees, contractors and their dependents vulnerable to cyberattacks, according to a government watchdog.
Outdated software and lack of attention to ongoing problems cause many of the department’s key programs to operate at a “higher-than-necessary level of risk,” the inspector general said in an unclassified version of the report made public Monday.
Programs included in the IG’s review were those overseen by the department’s under secretary for nuclear security, under secretary for science and energy and under secretary for management and performance.
Despite a 2013 audit that uncovered many of the same problems, DOE officials have yet to reach 65 percent of their cybersecurity goals, missing the deadline for almost half of the agency’s cybersecurity repairs by more than a year.
The 2013 IG report estimated that the personal information of more than 150,000 individuals, including Social Security numbers, had been compromised.
The IG review of 24 DOE offices found new cybersecurity risks at 11 locations and 14 that were previously reported.
Some of the DOE programs had failed to protect their computers against unauthorized access, setting up their servers with “default or easily guessed passwords,” the IG said.
Others ran human resources, business and support programs without screening downloads or data input. At least 12 separate applications at six different locations had “accepted malicious input data that could be used to launch attacks to gain unauthorized access” to such agency programs.
At one DOE office, none of the information security staff had received training in their responsibilities. Officials failed to monitor who logged in and out of the system or whether security data was altered or deleted. The site didn’t even have an inventory of its technology equipment, nor did it report lost or stolen assets. IG auditors attributed many of the agency’s cybersecurity flaws to its failure to track and report persistent security weaknesses or its efforts to remedy them.
Some DOE programs had yet to establish cybersecurity policies to govern the use of their systems. Others who had developed policies neglected to inform staff of what they were.
The ongoing cybersecurity lapses have allowed three attacks to jeopardize the private information of current and former DOE employees since 2011.
A subsequent report on the attack estimated the DOE spent more than $3.7 million recovering from the most recent breach in 2013.
Some of DOE’s programs had not received a cybersecurity review in a decade before the IG began investigating the 2013 breach.
Go here to read the full DOE IG report.
