Energy officials face the Hill grill again on security

Energy officials face the Hill grill again on security

By Tony Lee Orr

GCN Staff

The Energy Department last week boosted its chief information officer's authority in the wake of another negative report about systems security'this time at department headquarters.

CIO John M. Gilligan outlined his security plans at a hearing of the House Commerce Subcommittee on Oversight and Investigations. Although lawmakers originally planned to focus on systems vulnerabilities at Energy headquarters, the recent discovery of missing nuclear data at the department'sLos Alamos National Laboratory took precedence during the hearing.

The department has suffered a series of security setbacks since its founding, highlighted in myriad reviews, studies and investigative reports. The new report from Glenn Podonsky, director of Energy's Independent Oversight and Performance Assurance Office, came in response to a request from Rep. Heather Wilson (R-N.M.). She asked Podonsky to evaluate the security of headquarters Web servers.

Podonsky's office succeeded in taking over Energy computers via the Web and could have used them to attack other government computers, he testified. His staff also found that many Web servers were outside the headquarters firewall. The unprotected servers, managed by individual program offices, were vulnerable to basic hacking techniques that would let any Internet user gain system administrator-level access, he said.

Gilligan told the committee he would implement fixes within 60 days and asked Podonsky to review the systems in early fall.

Servers and systems with strong security, such as others under Gilligan's auspices, were compromised by the systems outside the firewall, Podonsky said. The report blamed poor management for the problems.

Gilligan and retired Air Force Gen. Eugene E. Habiger, Energy's security czar, agreed with Podonsky that Energy's management structure is part of the problem.

The 25 LAN segments, covering 29 program offices, have widely varying levels of effectiveness, Podonsky said.

Gilligan said that as CIO he could only point out problems and make suggestions but had no authority to force changes.

Security catch-22

'The potentially effective practices of some program offices are largely negated by the ineffective practices of other program offices,' Podonsky testified.

Such criticisms are not new to Energy. A report by the President's Foreign Intelligence Advisory Board outlined similar management problems at the department's labs [GCN, Feb. 21, Page 1].

Energy focused so much effort on resolving security problems at its labs that it neglected security at headquarters, Gilligan said in an interview.

The situation Energy hoped to eradicate at its labs continued unabated at the main office, he said.

This spring, each headquarters office created an information assurance plan, as required by Energy's new security policy for unclassified systems. Gilligan said his office found serious weaknesses in the plans.

To alleviate the problems, Gilligan said, he plans to take four steps:

' Develop, implement and enforce formal network connection policies.

' Develop, manage, enforce and run an integrated security configuration management process.

' Develop, manage and implement a security self-assessment process for headquarters offices.

' Centrally manage network security, including firewalls, intrusion detection, vulnerability scanning and auditing the headquarters systems infrastructure.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.