http://www.govexec.com/dailyfed/0606/060906tdpm1.htm
By Heather Greenfield
National Journal's Technology Daily
June 9, 2006
The Energy Department disclosed to Congress on Friday that
it suffered
a security breach from a hacker in September that
compromised 1,500
personnel records.
The news broke just as a House Energy and Commerce Oversight
and
Investigations Subcommittee was supposed to start a hearing
on how
secure Energy Department computers are in light of recently
reported
data breaches at the Internal Revenue Service and Veterans
Affairs
Department.
Kentucky Republican Ed Whitfield, chairman of the
Subcommittee, said
there is no excuse for the department to have its current
"F" in
cyber-security compliance -- or for waiting eight months to
tell the
Energy secretary or his committee about the security breach.
"It's unbelievable [that] 1,500 personnel files can
be compromised
with Social Security numbers," Whitfield said.
"The impact that can
have on individuals is quite disturbing."
Full Energy and Commerce Committee Chairman Joe Barton,
R-Texas,
visited the hearing room to express his outrage at the data
breach and
later called Energy Secretary Samuel Bodman. "If the
administration
won't do something about this incident, this committee
will," he said.
While most of the details of the hacking incident were
discussed later
in executive session, a government agency that tests the
department by
breaking into its computer system said the attack was at the
National
Nuclear Security Administration.
NNSA Administrator Linton Brooks said he learned of the
"sophisticated" hacking incident in September.
He said he did not know
whose job it was to tell Bodman, but he wished he had.
"Mr. Brooks, I'm going to recommend you be removed
from office, and I
think you would do the country a service if you
resigned," Barton
said. Brooks said that because the breach was labeled a
counterintelligence issue, the two sides of the organization
each
assumed the other had notified the secretary. Barton called
that
explanation "hogwash."
Energy Chief Information Officer Thomas Pyke said he was
aware of
various hacking incidents but only learned of the personnel
data
involved two days ago.
Pyke said the department faces hundreds of thousands of
attacks each
day. In the event where the records were exposed, he said
the attack
penetrated both a firewall and a detection system.
Glenn Podonsky, director of the office of security and
safety
performance assessment, told lawmakers that in November, his
team
successfully accessed Energy's unclassified computer
system. He said
they gained access to financial and personal data, and could
have
impersonated or monitored department executives.
"We basically had domain control," Podonsky
said. He said with
security improvements made since then that the office could
break in
but not gain domain control.
He said his office believes Energy is moving too slowly in
making
security improvements and noted that part of the problem is
because of
work done by outside contractors.
Whitfield also wanted to know why the Energy Department has
failed to
report 50 percent of attacks to its computer systems.
Podonsky said he
agreed they should be reported to help law enforcers track
them.
©2006 by National Journal Group Inc. All rights reserved.
_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com
|