The US Department of Energy (DOE), which oversees the US power grid, nuclear arsenal and national science labs, is a prime target for cyberattackers who want to harm the United States.
Now we are beginning to glimpse the extent of the threat, thanks to unclassified records obtained through a Freedom of Information Act request by USA Today.
The government records show cyberattackers successfully compromised the DOE 159 times between October 2010 and October 2014, and attacked the agency a total of 1131 times during that period.
USA Today reports that 53 of the successful attacks were root compromises, meaning the attackers had administrator privileges on compromised DOE computer systems.
Of the 159 successful intrusions, 90 compromised the DOE Office of Science, which conducts energy research, and another 19 attacks compromised the National Nuclear Security Administration – the agency in charge of securing the nation’s stockpile of nuclear weapons.
The DOE disclosed a breach in July 2013 that compromised personal records of 104,000 past and current federal workers, contractors and their dependents.
But the DOE isn’t saying what data or systems may have been compromised in the other 158 breaches – that information has been redacted from the records.
A DOE spokesperson told USA Today that the agency can’t comment on investigations into the compromises or who might have been behind them.
But it’s quite possible that other nation states could be the culprits, as the US’s top cybersecurity official alluded to in a speech in Washington, DC this week.
Admiral Michael Rogers, head of US Cyber Command and the National Security Agency, said nation states are spending a lot of time and effort to gain access to the US power grid and other critical infrastructure, according to the Wall Street Journal.
Those nation states want to have “options and capabilities” against the US, Rogers said:
We have seen nation states spending a lot of time and a lot of effort to try to gain access to the power structure within the United States, to other critical infrastructure, and you have to ask yourself why. It's because in my mind they are doing this with a purpose, doing this as a way to generate options and capabilities for themselves should they decide that they want to potentially do something.
How the US can defend itself against these threats is an open question right now.
Should the US develop its own offensive cyber capabilities as a deterrent? Should it use economic sanctions against countries like China that have a history of cyberattacks on US interests?
Perhaps the US government should focus first on cleaning its own house.
USA Today reports that an audit last year found 41 DOE servers and 14 workstations used default or easily guessed passwords.
That’s making an attacker’s job far too easy.
Image of high voltage warning sign courtesy of Shutterstock.com.
allthosetankprograms
“How the US can defend itself against these threats is an open question right now.” How about not making all this crap reachable on the public internet in the first place?
I don’t put my knife block full of sharp knives in the bottom drawer, then b**** and complain when my 3 year old starts messing with them.
Steve
DOE can’t waste any time or money on security… they have *REAL* issues to deal with, like that evil COAL!
Anonymous
The should be at the least matching the gov requirements for bank security.
msvivphd
This is a fundamentally useless article. It says nothing about what objective an attacker may have and it fails to point out that the United States itself undoubtedly provokes these attacks by the attacks it makes on the cybersecurity of nations like Iran and China and especially by its constant string of unnecessary and unprovoked wars (Afghanistan, Iraq,
Libya, Syria). The notion that the US is “entitled” to control the globe via its control of international institutions like the IMF and World Bank, as well as via the Pentagon with its doctrine of Full Spectrum Dominance is clearly going to make it a targets for those who have good reason to hate us.
Bob
Maybe I’m naive, but if I would have thought that any country that had to secure the most important aspects of their country, then the Internet would be a no go area.
You can use all the security that’s available to you, but clearly thats not good enough. So either use a whole new digital communication protocol if you are going to use the internet as a medium and implement bespoke hardware and components – or just don’t use the Internet at all.
My thinking is along the lines that anything deemed highly sensitive should be on a secure Intranet that is never connected to the internet. Expensive to do so – yes, but can you worry about cost when the stakes are so high.