Global Security Newswire
Daily News on Nuclear, Biological & Chemical Weapons, Terrorism and Related Issues
DOE Victim of Multiple Successful Cyber Strikes, Watchdog Says
The U.S. Energy Department, which through one branch has oversight responsibilities for the nation's nuclear arsenal, has been the victim of multiple cyber strikes and must take action to safeguard computer networks, an internal audit revealed on Monday (see GSN, June 14).
The Energy Department's inspector general did not in its public report identify who was responsible for the computer-based attacks or their impacts on four targeted sites, Reuters reported. No specifics were provided on when the cyber strikes took place.
The department's semiautonomous National Nuclear Security Administration manages upkeep and updates to the nuclear stockpile. The report does not specifically state whether the agency had been the victim of computer attacks.
The inspector general highlighted an increasing number of vulnerabilities in DOE computer networks. Computer vulnerabilities had increased by 60 percent compared to weaknesses discovered in a 2010 audit. Just 11 of the 35 vulnerabilities pinpointed in the 2010 audit had been eliminated by the time of the new report.
"Continued vigilance is necessary due to the recent department incidents and increased cyber attacks by both domestic and international sources," the report states. Department computer networks are "routinely threatened with sophisticated cyber attacks," it says.
The website for an NNSA-managed complex in Oak Ridge, Tenn., was digitally attacked in June. However, no sensitive information or details related to the nuclear weapons work of the Y-12 National Security Complex were compromised, according to earlier reporting.
The National Nuclear Security Administration has been found before to have poor computer security standards.
In April, the Energy Department's internal watchdog found that the Lawrence Livermore National Laboratory in California was not sufficiently safeguarding some high-value national security information and had improperly allowed private contractors to make decisions about computer systems that hold data on the U.S. nuclear arsenal. Lax security regulations at another nuclear laboratory at Los Alamos, N.M., were found to have resulted in more than 50 incidents from 2002 to 2007 of classified data being either compromised or potentially compromised (see GSN, April 20).
The nuclear agency objected to some of the 2011 report's findings even though it was not specifically cited as a victim of cyber attacks, Reuters reported. Some of the vulnerabilities highlighted by the report are "isolated issues," according to the agency.
"We are concerned that a casual reader of this report might not fully understand that the findings, while important, do not represent demonstrated risks," NNSA Associate Administrator Kenneth Powers stated in a letter to the inspector general.
The inspector general did acknowledge that the Energy Department had moved to remedy a number of the issues highlighted by its investigation (Reuters/Fox Business, Oct. 24).
"While NNSA concurred with our recommendations, it disagreed with the characterization of the scope, severity, and cause of the issues presented in our report," the 2011 audit report states.
"NNSA management commented that finding a relatively small number of misconfigured devices at the sites reviewed did not inherently suggest widespread weaknesses of control and that the fractional percentages of misconfigured devices identified were isolated issues at the system-level and not across the Nuclear Security Enterprise. Management also stated that the weaknesses identified in our report did not account for compensating controls and may have been within the sites' acceptable risk," the report continues.
The inspector general defended its findings of a significant computer security risk: "Given that the vulnerabilities identified within NNSA spanned desktops, applications, and network devices, we do not believe that our findings are necessarily isolated incidents. As noted in the report, our test work revealed that the weaknesses, if exploited, could have permitted a malicious user to compromise systems or data (U.S. Energy Department Inspector General's Office report, October 2011).
Note to our Readers
GSN ceased publication on July 31, 2014. Its articles and daily issues will remain archived and available on NTI’s website.
Oct. 23, 2014
NTI Vice Chairman Des Browne delivered the keynote address at the Washington-based Arms Control Association's annual meeting, covering a range of nuclear policy issues.