DOE Cyber-Security Audit Shows Incident Reporting, Management Hurdles

An audit of the Department of Energy's Cyber Security Incident Management Program outlined a number of challenges facing the agency.

An audit of the Department of Energy's Cyber Security Incident Management Program found that duplicative efforts and the inconsistent reporting of cyber incidents are challenging security management.

Released earlier this month, the audit by the DOE's Office of Inspector General paints a picture of an agency in need of a unified cyber-security management strategy as it works to deal with these issues. Among the report's findings was that independent, partially duplicative incident-management capabilities exist and are costing more than $30 million a year. In particular, the department's Joint Cybersecurity Coordination Center (JC3) provided response and advisory services and maintained supporting computer forensics and assistance in investigating and preserving cyber evidence even as at least two other organizations performed similar functions.

In addition, the audit found that cyber-security incidents were not consistently identified or reported to the JC3 as required. For example, 91 of 223 reported incidents at seven sites were not reported within the required time frames. Ten incidents involving the loss of personally identifiable information were reported up to 15 hours after discovery, as opposed to the 45 minutes required by policy. In some cases, the incident reports did not contain "essential information" such as the date and time an incident occurred and the number of machines affected, ultimately meaning the information provided to law enforcement agencies and the U.S. Computer Emergency Readiness Team (US-CERT) was incomplete, the report said.

"In the absence of an effective enterprise-wide cyber-security incident-management program, a decentralized and fragmented approach evolved that placed the department's information systems and networks at increased risk of compromise," according to the report. "The department's current reporting and cyber incident management structure also increases the risk that it will be unable to satisfy both internal and external response and reporting requirements."

Former US-CERT Director Mischel Kwon said the report is not as bad as it may seem, and instead illustrates an agency working to address operational and structural issues.

"They have hit the very top problems that I think every organization is struggling with today," said Kwon, who is now president and CEO of Mischel Kwon Associates.

The reporting of incidents is not always clear-cut, she added, noting that in the past the information people were asked to report was based on Federal Information Security Management Act (FISMA) requirements as opposed to sharing information to address advanced persistent threats.

"If you look at the US-CERT incident response numbers for last year, you might chuckle a little bit," she said. "If you look at them for the past 10 years, you may think that's nowhere near the volume of incidents I would expect in this large a landscape."