Cyber Attack at Department of Energy Emphasizes Gaps in Cyber Security

Cyber security is apparently lacking in the Department of Energy.  Last month, hackers managed to gain access across 14 computer servers and 20 work stations to obtain personal information about several hundred employees at the agency.  While no classified information was compromised, the personally identifiable information could be used maliciously to access classified DOE data.  Laws require government agencies to disclose when personal data is hacked, but there is no law requiring disclosure of unauthorized access of classified information.

The Washington Free Beacon, which first reported the story on Monday, spoke with Ed McCallum, who worked at the DOE’s office of Safeguards and Security for 10 years.  “It’s a continuing story of negligence,” McCallum was quoted saying in regards to the security of the DOE’s sensitive information.  The DOE has not said if it knows who was responsible for the attack, but several news outlets, including the Free Beacon cited Chinese hackers as the likely culprits. Chinese espionage is suspected due to the sophisticated nature of the attack, and because China has targeted the DOE for secrets and technology in the past.  The New York Times and Wall Street Journal both reported attacks by Chinese hackers in the past few weeks.

Regardless of the origin of the attack, it is clear that increased security is necessary to safeguard national classified information.  The DOE includes the National Nuclear Security Administration, which is the entity that manages nuclear power and weapons, so it is no surprise that the department has been the target of attacks for years.  Stringent security measures should already be in place to prevent such attacks from being successful, but the DOE has pledged that it will investigate and fix the gaps in security that were made clear as a result of the attack.

So, an inevitable question arises from this situation; how is some of the most heavily guarded national information even hackable at all?  McCallum’s statements suggest that the DOE is a fairly easy target due to lax cyber security.  The Department has reported that as soon as the full scope of the incident is known, remediation will take place to improve security and protect not only employee data, but all of the Department’s information.  Increased network monitoring and specialized cyber defense strategies will soon be implemented to the Department’s networks.  Not only will this fill the gaps in security as the DOE has promised, but should also prevent future cyber-security breaches.

The intrusion at the Department of Energy comes at a time when cyber-security is a huge concern among energy customers, particularly those with smart meters.  The Smart Grid Interoperability Panel’s privacy subcommittee, led by Rebecca Herold, is one organization addressing the privacy issues affecting consumers.  While DOE employee personal information may be valuable for accessing confidential national data, electric consumer data could be similarly vulnerable.  For this reason, cyber security is currently one of the top concerns among electric utilities, as it needs to be for national security agencies as well.  As information in every sector becomes almost exclusively digital, security advances need to keep pace and protect vital information from hacking and theft.  Protection of sensitive electronic information seems, at last, to be a key issue for every entity transmitting electronic data.