Department of Energy (DOE) computers and digital networks are highly vulnerable to cyber attacks by foreign powers and hackers because of the agency’s failure to correct problems that have been known for years, a government watchdog reported.
Key software “was missing security patches,” systems had blank or shared passwords, and malicious input “that could have been used to launch attacks against” users was found on applications, among other problems, DOE’s Inspector General (IG) wrote in a report made public Wednesday.
The “types of deficiencies identified in prior years, including issues related to vulnerability management, system integrity of web applications, access controls and segregation of duties, and configuration management, continue to exist,” the IG said.
The energy department’s cybersecurity is especially crucial to national security because it manages multiple programs related to America’s nuclear arsenal and uranium enrichment. The threat to such systems is very real, given the U.S.’s successful attack on Iran’s nuclear facilities with the Stuxnet virus.
The U.S. has also been victimized by cyber attacks such as the 2015 breach at the Office of Personnel Management, which exposed more than 21 million current and former federal workers’ personal information. (RELATED: “21 Million People Hacked, Blame Goes To Outdated Gov’t Technology”)
The IG said DOE “continues to encounter various types of cybersecurity incidents including compromise of user workstations, web defacements, and loss or theft of information technology equipment” and “has reported more than 640 incidents in FY 2016.
“Without improvements to its cybersecurity program … the department’s systems and information will continue to be at a higher-than-necessary risk of compromise, loss, and/or modification … the department may not adequately address cybersecurity risks to ensure protection of data and information systems.”
The cyber issues exist because DOE hasn’t “fully developed and/or implemented policies and procedures” and “had not always implemented an effective performance monitoring and risk management program.”
Additionally, DOE’s “primary cybersecurity directive had not incorporated critical federal requirements issued more than 3 years ago,” and “had not updated its Program Cyber Security Plan since June 2010 to reflect new cybersecurity risks,” the IG continued.
DOE did, however, make “progress remediating weaknesses identified in our FY 2015 evaluation, which resulted in the closure of 10 of 12 prior year deficiencies,” the IG wrote.
Content created by The Daily Caller News Foundation is available without charge to any eligible news publisher that can provide a large audience. For licensing opportunities of our original content, please contact firstname.lastname@example.org.