Unclassified information about America’s nuclear facilities continue to be at risk of being compromised, thanks to weaknesses in the Department of Energy’s cyber-security systems, a government watchdog reported Monday.
The department is updating its cyber-security systems, but the agency’s inspector general found that the program has too little oversight, which creates vulnerabilities such as digital systems being left completely unchecked against intruders.
Federal energy officials are responsible for massive amounts of digital data concerning every aspect of the nation’s energy production, use and reserves, as well as for facilities that are of critical importance to the U.S. military’s nuclear weaponry.
“We found that additional effort is needed to ensure that operating system risks are identified and systems and information are adequately secured,” the report said. “Without improvements to its cyber-security risk management program, the department cannot ensure that it has an ongoing understanding of the risks to its system and to what extent those risks have been or can be mitigated.”
Consequently, the department’s “systems and information may be placed at an increased risk of compromise,” the report said. “Cyber attacks on information systems have become aggressive, disciplined, well-organized and very sophisticated. The threat environment also continues to change and become more complex.”
A July 2013 breach “cost the department $3.7 million in lost labor hours and funds expended that could have been better used,” according to the report.
Still, two years later, “the department had not established sufficient oversight and communication to support its cyber-security risk management program,” the report said. “In addition, federal officials had not provided adequate oversight to ensure effective risk-management practices had been implemented.”
The fact such problems remained unfixed means sensitive digital information could be stolen from the government.
For example, “programs and sites had not always selected and implemented required cyber-security controls necessary for protecting information systems and data from potential loss or unauthorized disclosure, “ the report said. Also, cyber-security tests weren’t effective enough to ensure that information systems were sufficiently protected.
In some cases, officials that authorized the cyber-security programs weren’t “fully aware of the risks and weaknesses present on the information systems under their purview,” the report said.
Meanwhile, programs to continuously monitor the department’s digital systems were not “fully developed and implemented,” the report said. “None of the sites reviewed had developed a formal process for periodically assessing updating cyber-security metrics.”
Content created by The Daily Caller News Foundation is available without charge to any eligible news publisher that can provide a large audience. For licensing opportunities of our original content, please contact email@example.com.
All content created by the Daily Caller News Foundation, an independent and nonpartisan newswire service, is available without charge to any legitimate news publisher that can provide a large audience. All republished articles must include our logo, our reporter’s byline and their DCNF affiliation. For any questions about our guidelines or partnering with us, please contact firstname.lastname@example.org.