First, some background. The DOE warned employees in an emailed memo earlier this month that information pertaining to 14,000 current and former employees had been compromised in a "cyber incident that occurred at the end of July." Stolen information included personally identifying information (PII) in the form of names and social security numbers, according to a copy of the memo published by The Wall Street Journal.
"No classified data was targeted or compromised," the memo read. "Once the full nature and extent of this incident is known, the department will implement a full remediation plan." The agency promised that all affected employees would be notified individually by the end of August.
[ Want to know more about government security problems? See Most VA Privacy Breaches Trace To Paper, Not PCs. ]
The July breach marked the second time this year that the DOE reported that online attackers had infiltrated its systems, following a February intrusion that officials said resulted in the theft of information pertaining to several hundred employees.
1. Source: Hack Involved Outdated System
According to a source close to the DOE, the system hacked in the July breach -- which stored PII -- was outdated, unpatched and easy pickings. "The form and style of this attack were not difficult to defend if you're doing the basics of cybersecurity: knowing what's on your network, knowing what your vulnerabilities are, doing good patch management and establishing mitigations against the places where you know you're vulnerable," the source said. "But you've got to start with knowing what's on your network."
A DOE spokeswoman, as well as the agency's CTO, didn't respond to multiple requests for comment -- made over the past week via email and phone -- about the breach and whether the agency plans to alter its approach to cybersecurity.
2. DOE Failed To Implement SANS Top 20
"Knowing what's on your network" alludes to SANS Institute's 20 Critical Security Controls for Effective Cyber Defense, which are widely considered to be the basic steps for every information security program. Put another way, the consensus is that organizations which fail to put those 20 controls in place can't effectively defend themselves against attackers.
The No. 1 recommendation on the SANS Top 20 is to create an "inventory of authorized and unauthorized devices." In other words, businesses and government agencies must know what's on their network. If they don't, then attempting to safeguard the network against intrusions becomes orders of magnitude more difficult.
3. Why DOE Might Be Running Unpatched Systems
The above isn't rocket science. So how was an outdated, unpatched and apparently Internet-accessible system containing personal information on thousands of DOE employees -- some of whom work with cutting-edge nuclear secrets -- allowed to run on the agency's network?
One likely explanation: unclear lines of IT oversight and authority. The DOE, like all government agencies, comprises numerous internal departments and fiefdoms. Furthermore, most of the agency's budget comes from Congressional appropriations that flow to project offices; relatively little is directed to centralized functions. As a result, creating a top-down, "thou shalt comply" IT and patch management regime is difficult.
The IT picture is further complicated by the agency's oversight of 17 national laboratories (including Fermi National Accelerator Laboratory and Los Alamos National Laboratory) and 14 other facilities, including Bettis Atomic Power Laboratory, Kansas City Plant and the Yucca Mountain nuclear waste repository. The scale of those operations is highlighted by the fact that the DOE reportedly had about 16,000 employees as of 2009, and 93,000 contractors on the books as of 2008. (A DOE spokeswoman didn't respond to an emailed request for more up-to-date employment figures.)
All of those 30-plus labs and facilities are run by contractors, and they're arguably held to a higher information security standard than the DOE itself. To wit, the DOE's two most recent breaches didn't involve networks managed by labs or facilities, but rather infrastructure managed by DOE's in-house IT staff. No heads appear to be rolling at DOE, and no Congressional inquiry has begun. Would the same be true if those cybersecurity shortcomings were traced to a contractor?
4. Upside: DOE Leading On Agency Cybersecurity
Then again, Alan Paller, director of research at the SANS Institute, thinks the DOE's cybersecurity practices are quite good. "From what I can tell, DOE is doing about the best job in government on cyber governance in a very challenging structure where each element has enormous business independence," Paller said in an email.
What might DOE be doing better? In general, he noted that at every government institution, paper-based policies and strategies too often trump hands-on security improvements.
5. Challenge: Improving Actual Security, Not Just Policies
Blame a widespread lack of hands-on cybersecurity skills across the federal government. "The great failing of DOE is that too many of its security officers do not have the technical mastery to implement the 20 [SANS] controls cost-effectively," Paller said. "They still are living in an era of compliance, where writing reports is more important than securing systems. This same affliction is found in most federal agencies, and I see DOE as among the better ones. It is that cyber-skills weakness, along with a lack of persuasion skills -- needed to get agency staff to take necessary action -- that leads to losses."
Again, Paller emphasized that this problem isn't unique to the DOE, which he lauded for having publicized the breaches. "You are not seeing most of the losses in the other agencies," he said. "DOE has led the way on being open."