Energy Department Breach Years In Making, Investigators Say
Oldest First  |  Newest First  |  Threaded View
User Rank: Author
12/13/2013 | 2:22:26 PM
Breaches And Communication
"On the subject of information security responsibility, confusion reigned, with the Office of the Chief Information Officer (OCIO) and the Office of the Chief Financial Officer (OCFO) -- which maintained DOEInfo -- each believing that the other department was in charge of patching system vulnerabilities." That makes me squirm just thinking about it. But IT pros see this time and again -- complete failure to communicate.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Author
12/13/2013 | 3:32:47 PM
Re: Breaches And Communication
I wonder if the private sector is any better than this. I kinda doubt it. Anyone agree?
User Rank: Author
12/13/2013 | 6:59:28 PM
Inspectors General
This report is a certainly a cautionary tale about what happens when managers ignore advice and/or choose to underinvest.

But this report is also remarkable for another reason.  It's something that you'll rarely see in the private sector.  In fact, government agencies deserve more credit than they get for 1) maintaining inspectors on staff to investigate operating problems; and 2) for releasing the messy findings when they occur, as DOE's inspector general has -- and other agency inspectors general do on a regular basis.

It's not a lot of consolation for those whose private information was compromised.  But take a moment to ponder: You don't see a report like this explaining why an Amazon's regional cloud center went down or when a credit card processing company gets hacked.

Now lets hope DOE and other federal agencies learn from their mistakes.

User Rank: Ninja
12/14/2013 | 5:29:16 PM
Re: Breaches And Communication
This is something else. I hope that managers read this and see it as a wake-up call because it is evident that these types of breaches can cost an organization a lot of money. Maybe someone will learn from these mistakes and that in turn will prevent some sort of future breach which could have affected countless lives in terms of potential indentity theft risks. 
User Rank: Moderator
12/16/2013 | 4:54:55 AM
Re: Inspectors General
That's a great point, Wyatt. Kudos to the current DOE management -- including the CIO -- for not only calling for an investigation but also publishing the results of the related inquiry, as well as apparently getting needed fixes in place, finally.

Part of the reason this breach occured is because past generations of DOE upper management allowed it to happen. They authorized the continued development of new applications that hooked into the  outdated/insecure/Internet-accessible/unsuitable Adobe ColdFusion DOEInfo database. Fast-forward some years, and you have a breach waiting to happen. 

Current DOE management inherited a mess. Should they have fixed it faster? That's open to debate. Regardless, credit where due: "From what I can tell, DOE is doing about the best job in government on cyber governance in a very challenging structure where each element has enormous business independence," Alan Paller, director of research at the SANS Institute, told me earlier this year. (It's notable, of course, that this breach involved HQ, rather than one of the DOE's contract organizations. Meaning that it can't hide behind "business independence," because it's in charge and should be setting a standard that it expects everyone else to emulate.)

With luck, DOE's experience will spur other agencies to do what they should be doing: nuking outdated systems, replacing legacy integrations with modern connectors, eliminating outdated data stores, inventorying all enterprise applications (so they know what to secure) and documenting the name of the person inside the agency whose head will role if a given application isn't kept updated/secure. For starters.

The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.