Global Security Newswire
Daily News on Nuclear, Biological & Chemical Weapons, Terrorism and Related Issues
Auditors Blast DOE for "Fragmented" Cyber Attack Preparations
WASHINGTON -- A "decentralized and fragmented" investigative framework continues to ensnare U.S. Energy Department probes into digital attacks against its nuclear weapons sites and other facilities, placing targeted infrastructure in greater danger, the DOE inspector general asserted in a new report.
Auditors said the department and its semiautonomous National Nuclear Security Administration have failed to create a unified policy for managing cyber strikes, as suggested in another internal assessment issued nearly five years ago. Such a plan would delegate duties for responding to electronic assaults and ensure rapid and comprehensive reporting of incidents, according to a recommendation included with the new findings.
The organizations faced a nearly seven-fold increase in electronic strikes from 2006 to 2011 and dealt with more than 2,300 computer system breaches, malware incursions and related events over a 2 1/2-year period that ended in March, the report says. One high-profile attack targeted data associated with the Y-12 National Security Complex in Tennessee and forced the nuclear arms facility's public website to be taken down for roughly a week.
The latest findings criticize procedures adopted last year as hindrances to the ability of police and counterintelligence personnel to conduct checks after digital attacks.
"Specifically, sites did not always report cyber security incidents because updated policy and reporting instructions lacked detail and were subject to interpretation," according to the Dec. 11 report. A group of seven DOE facilities failed to report 91 of 223 identified computer violations to authorities before established deadlines, the document notes separately. The Los Alamos National Laboratory in New Mexico, though, denied it had improperly reported several strikes in a Thursday article by Mother Jones magazine.
The earlier IG assessment helped spur the creation of a multioffice group for reacting to electronic strikes, but a "particularly severe incident" last year revealed lingering problems and prompted the establishment of a new organization intended to eventually assume responsibility for addressing computer attacks across the department. However, plans languished for expanding the new group by the end of fiscal 2011, auditors wrote.
They faulted NNSA and other department personnel for never reaching agreement on "which cyber security incident capabilities best provided specific services," and then plotting a strategy for combining them. The department also neglected to assign duties for leadership of the new office -- named the Joint Cybersecurity Coordination Center -- and to establish a "project management strategy" with elements such as evaluation standards and funding requirements, the new report adds.
The department continues to fund redundant electronic attack response capacities, auditors said. Overlapping capacities for gathering and holding evidence from such strikes exist within two organizations in addition to the intended central response office. Those groups -- the NNSA Information Assurance Response Center and the DOE Cooperative Protection Program -- together receive more than $20 million each year.
One expert said the IG report's findings could have implications for the protection of closely guarded nuclear weapons data.
"There is an extensive history of nuclear security violations involving the compromise of the most highly classified nuclear weapons design information through espionage, neglect and failures of counterintelligence," and the new report points to the need for an "integrated, coordinated" defensive strategy, " Federation of American Scientists government secrecy expert Steven Aftergood said.
"When there are multiple, overlapping security regimes in place, it becomes more difficult to manage security policy effectively," Aftergood told Global Security Newswire by e-mail on Friday. "It's a fairly obvious point, but a crucial one."
Leaders of the DOE nuclear agency and other department offices agreed to auditors' call to prepare a unified policy for coordinating DOE responses to digital attacks, as well as to create a single set of detailed rules for detecting and reacting to computer breaches.
Note to our Readers
GSN ceased publication on July 31, 2014. Its articles and daily issues will remain archived and available on NTI’s website.
This article provides an overview of the United States’ historical and current policies relating to nuclear, chemical, biological and missile proliferation.