Why Is Devin Nunes Rushing to Give More Data to Hack-Tastic Department of Energy?

On several occasions, I’ve pointed out that the agencies that would automatically receive data shared with the federal government under cybersecurity bills being pushed through Congress aren’t any more secure than Office of Personnel Management, which China hacked in spectacular fashion. Among the worst — and getting worse rather than better — is Department of Energy.

Earlier this week, USAT published more information on how bad things are at DoE.

Cyber attackers successfully compromised the security of U.S. Department of Energy computer systems more than 150 times between 2010 and 2014, according to a review of federal records obtained by USA TODAY.

Incident reports submitted by federal officials and contractors since late 2010 to the Energy Department’s Joint Cybersecurity Coordination Center shows a near-consistent barrage of attempts to breach the security of critical information systems that contain sensitive data about the nation’s power grid, nuclear weapons stockpile and energy labs.

The records, obtained by USA TODAY through the Freedom of Information Act, show DOE components reported a total of 1,131 cyberattacks over a 48-month period ending in October 2014. Of those attempted cyber intrusions, 159 were successful.

Yet at yesterday’s Cyber Threats hearing (around 2 minutes), House Intelligence Chair Devin Nunes suggested he only learned of this detail from USAT’s report. “[J]ust this morning we learned that Department of Energy was successfully hacked 159 times.”

It’s troubling enough that the guy overseeing much of the government’s cybersecurity efforts didn’t already know these details (and I presume that means Nunes is also unaware that DoE has actually been getting worse as the Administration tries to fix major holes). Especially given that DoE is part of the Intelligence Community.

But it’s even more troubling given that HPSCI’s Protecting Cyber Networks Act, like the Senate’s Cyber Intelligence Sharing Act, automatically shares incoming cyber threat data with DoE (and permits private entities to share with DoE directly).

This is the height of irresponsibility. Devin Nunes is rushing to share this data — he pushed for quick passage of these bills in the same breath as noting how insecure DoE is –yet he hadn’t even bothered to review whether the agencies that would get the data have a consistent history of getting pawned.

Nunes did say that we need to ensure these agencies are secure. But the data is clear: DoE isn’t secure.

So why not plug those holes before putting more data in for hackers to get?

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

5 replies
  1. bloopie2 says:

    “ breach the security of critical information systems that contain sensitive data”.
    .
    Solution: No way that will ever happen — all we need to do is encrypt it, right?
    .
    Problem: Weelll, not exactly. “After hackers leaked Ashley Madison data in three massive dumps, security experts discovered a commendable surprise within the infidelity site’s source code. Ashley Madison‘s programmers had, it seemed, protected users’ passwords with strong cryptography. Given the time and computing power needed to crack the whole lot, some researchers believed deciphering it might take centuries. … Turns out that wasn’t the whole story. A group of hobbyist hackers revealed in a blog post on Thursday that it has cracked more than 11 million of the some 36 million credentials registered to the site.”
    .
    http://fortune.com/2015/09/11/ashley-madison-passwords/
    .
    Next Solution: Actually, it turns out that the site didn’t always use the best available crypto-procedures. Have the Feds do better, they can afford it, right?
    .
    Next Problem: How can we count on the US government, with its huge numbers of computer systems (some so outdated that they don’t even support encryption AT ALL), to always use the most modern, up-to-date, not-broken-yet, encryption standards?)
    .
    Next Solution: The NSA (likely the best hacking organization extant) should be tasked with trying to get into each and every government system. Circulate the results internally, fix the problem areas.
    .
    Next Problem. The results of the NSA study would inevitably make it out into the public domain. Right there for hackers to see who is the easy target.
    .
    Takeaway: The real solution is to not have sensitive data stored on computers that are accessible online. (Yeah, right, like that will ever happen.)
    .

  2. jerryy says:

    Has anyone bothered to check what was being put into the data whilst the crackers were busy honing their skills?

    There is more to the story than just a bunch of folks in a dim lit room rubbing their hands together and gleefully chanting ‘muahahaha’ as the data downloads onto their thumb drives. Altering or planting records can cause trouble as well.

  3. emptywheel says:

    That’s actually something Clapper was particularly worried about. He also seemed anxious that china (or whoever did this–they were actually less certain about this attribution that reporting suggests) hasn’t used this data yet. I wonder if it was Israel, not China…

    Given that we have replaced data before I can see why clapper would be worried.

  4. ThingsComeUndone says:

    Could be the Hackers just want to see who is getting Dept of Energy loans If I could invest in green energy projects before news they got Dept of energy loans became public I’d make a mint.
    “In 2011, solar panel company Solyndra defaulted on a $535 million loan guaranteed by the Department of Energy. The agency had a few other high-profile bankruptcies, too — electric car company Fisker and solar company Abound among them. But now that loan program has started turning a profit.

    Overall, the agency has loaned $34.2 billion to a variety of businesses, under a program designed to speed up development of clean-energy technology. Companies have defaulted on $780 million of that — a loss rate of 2.28 percent. The agency also has collected $810 million in interest payments, putting the program $30 million in the black.” http://www.npr.org/2014/11/13/363572151/after-solyndra-loss-u-s-energy-loan-program-turning-a-profit

    I wonder how those companies do after they pay back their Dept of energy loans? Oil Companies it should be noted get tons more cash than green power companies world wide.

Comments are closed.