Energy Dept. hacks point to larger procurement, budget issues
The U.S. Department of Energy’s systems were compromised – successfully - more than 150 times in just four years.
If there were any doubts that critical infrastructure like the nation's power grid is a prime target of cyber attackers, then a report that the U.S. Department of Energy's (DoE) systems had been compromised – successfully - more than 150 times in four years should put them to rest.
Federal records snagged by USA Today in response to a Freedom of Information Act request revealed that hackers were busy between 2010 and 2014 when they launched 1,131 cyberattacks on Energy Department systems, with 159 of those considered successful.
John Prisco, president and chief executive officer at Triumfant, noted in comments emailed to SCMagazine.com that “All sensitive government computers are vulnerable because it takes too long to deploy defense and those defense are obsolete long before they see the light of day.”
Calling the news that the DoE has experienced more attacks than previously believed “similar to the OPM mode of releasing information,” Prisco, said, “Now we hear that attacks took place over 150 times in a 4-year period just like it was 4 million, oops 21 million people affected by the OPM hack.”
He contended that officials likely “have no idea how much, how many or when these breaches take place.”
Prisco said that as long as agencies adhere to elongated procurement cycles “we can assume that our government has no secrets.”
Government, too, has given security short shrift in its budgets.
“This is a common story across government because the low priority of security in the budget makes the task of preventing intrusions more difficult,” Jason Lewis, chief collection and intelligence officer at LookingGlass, said in emailed comments to SCMagazine.com.
While John Pirc, chief strategy officer and co-founder at Bricata, is surprised that the number of attacks wasn't higher, he stressed that even a single weak link could lead to serious consequences. “The fact they only had 1,131 cyber attacks in a 48-month period seems rather low considering they are a U.S. Federal Government Agency,” Pirc said in comments emailed to SCMagazine.com. “Additionally, it only takes one weak link and they found 159 that lead to 53 instances of gaining root/administrative privileges that they are aware of. One instance of root/administrative privileges is bad enough let alone 53 instances.”
Pirc gave Energy credit for discovering and tackling the problem but underscored that the “time to protection against both current and legacy threats are extremely important.”
Given budget constraints, LookingGlass's Lewis said, “I'm starting to think the best chance for agencies to combat threats is government wide programs that give them access to tools and services without spending their own budgets.”
He pointed to such programs offered by the Department of Homeland Security (DHS) and its ability to create even more. “If agencies aren't asking DHS for help, they are missing opportunities to prevent breaches,” he said.