The Energy Department’s cybersecurity is awful — well, at least that’s what many people believe based on the recent USA Today story.
The news organization found hackers were successful 159 times in penetrating Energy’s network between 2010 and 2014, including 53 instances where the attackers took control of the “root” servers.
USA Today found that the National Nuclear Security Administration (NNSA) experienced 19 successful attacks during the four-year period, according to the Freedom of Information Act records it obtained.
On the surface, it seems the Energy Department is just another federal agency that is, in the words of former White House cybersecurity official Melissa Hathaway, complacent, apathetic and/or negligent when it comes to securing its networks and data.
But when you take a closer look at the statistics, the picture isn’t all bad.
First off, the USA Today story highlights that the 159 successful intrusions were out of 1,131 cyberattacks, making the success rate 14 percent.
Industry averages of successful cyber attacks are hard to come by. Trustwave, a cyber company, said at the BlackHat conference in August that one such malware, called the RIG exploit kit, had a success rate of 34 percent.
While we know the saying, one is too many, Energy’s defenses show they are successful in stopping attacks 86 percent of the time. That is a much different story than saying Energy has been breached more than 150 times.
Michael Johnson, Energy’s chief information officer, opened the door at the AFCEA-Intelligence National Security Alliance conference on Sept. 10 a bit wider to just what the department is up against and the progress it’s making.
While Johnson didn’t directly address the USA Today story, he did offer some numbers about what the agency is trying to protect:
DoE’s cyber budget is $1.5 billion
More than 600 total information systems
More than 300,000 unclassified end points
About 200 data centers
More than 37,000 mobile devices.
“We at DoE are putting in place a framework to simultaneously advance and safeguard the mission of the Department of Energy and enhance how we deter and defend against adversarial actors in the cyber space,” Johnson said. “There are five main ways we are doing this. Number one, we are advancing cyber as both information sharing and information safeguarding. It’s hugely important to have a common semantic framework when you are working cyber issues so you know and realize that cyber is about both advancing the mission of the department that I represent and also about safeguarding it and what you do to keep it safe.”
“It’s important to provide operational and situational awareness to inform, for example, the kill chain, when working through threats. What we must support is instantaneous, real time and automated sharing of cyber threat information,” Johnson said. “With instantaneous and automated sharing, an attack only succeeds once, and hence we lower the total number of successful attacks. So if there is a successful attack, for example a zero day, it should only work once, and that starts the bad guys to start over and over again.”
The third piece is moving off of legacy systems. The fourth is implementing cyber best practices, such as two-factor authentication and application white listing.
The final piece is investing in cyber research and development to improve trust in cyberspace.
There is a lot going on at Energy. It’s not that these 159 successful cyber attacks aren’t worrisome. As we’ve seen with the Office of Personnel Management and so many others, one bad day can ruin millions of people’s lives.
But the Energy Department, like every other agency, isn’t just sitting back and waiting for an attack through gaping holes in their networks like some would insinuate. The complexity of why hackers are successful goes far beyond thousands of pages of FOIA’ed documents and that’s where the USAToday and others tend to overlook too often.
This post is part of Jason Miller’s Inside the Reporter’s Notebook feature. Read more from this edition of Jason’s Notebook.