Cyber security faulted at U.S. Energy Department Updated 6:58 PM ET June 13, 2000

WASHINGTON (Reuters) - Several unclassified computer networks belonging to the U.S. Energy Department are so vulnerable to intruders that "any Internet user" could gain control of them, an in-house watchdog told Congress Tuesday.

An audit carried out April 17 to 28 found an unspecified number of "Web servers" managed by individual program offices were located entirely outside a so-called firewall designed to protect against unauthorized access.

A Web server is a computer that displays pages on the Internet. At issue is the department's unclassified computing system. It consists of a backbone network and 25 invidividual local area networks operated by 29 different program offices in the Washington area.

In all but one case, "there are no security barriers between segments" connected to the common backbone, Energy Secretary Bill Richardson's Office of Independent Oversight and Performance Assurance reported.

Most of the servers outside the firewall were found to be "vulnerable to common hacking exploits, and some contain vulnerabilities that could allow any Internet user to gain system administrator-level privileges," Glenn Podonsky, the office director, said.

With such high-level access, an attacker could deface or shut down an Energy Department Web site "or configure the server to launch attacks against other Internet entitites," the public version of the watchdog's report said.

"Headquarters has not developed overall cyber security procedures or minimum requirements for each network segment on the network," Podonsky added. He made his comments to the House Commerce Subcommittee on Oversight and Investigations.

ONLY AS GOOD AS THE WEAKEST LINK

Disclosure of the gaps in cyber security were the latest blow to the Energy Department, which acknowledged Monday that two highly classified computer hard drives containing nuclear weapons data had disappeared from a vault at Los Alamos National Laboaratory in New Mexico.

Podonsky said the overall Energy Department network was only as good at the weakest link.

"In effect, the potentially effective practices of some program offices are largely negated by the ineffective practices of other program offices," he said. The audit was prompted by a request from Rep. Heather Wilson, a New Mexico Republican.

Retired Air Force Gen. Eugene Habiger, the department's security "czar," told the panel that the department was moving aggressively to address shortcomings cited in the cyber security audit.

He faulted the Republican-led Congress for allegedly failing to meet the department's fiscal 2000 supplemental budget request for $35 million to address cyber security needs. Instead, he said, Congress appropriated only $7 million.

"Consequently, the headquarters' unclassified cyber security intitiatives were given low priority in light of more pressing needs at our field sites," Habiger said.

Habiger took over as director of a newly created Office of Security and Emergency Operations a year ago after a Taiwanese-American scientist, Wen Ho Lee, was fired on charges of mishandling nuclear secrets at Los Alamos. Lee, now at a New Mexico prison awaiting trial, has denied the charges.

House Commerce Commitee Chairman Tom Bliley, a Virginia Republican, called the audit evidence of "nothing less than a failure of leadership" by Richardson. Richardson is a possible vice-presidential running mate of Al Gore, the presumptive Democratic nominee for president in the November elections.

Referring to the missing hard drives, Bliley said the Energy Department and its labs "still have a long way to go before the American public can or should feel confident that our nuclear secrets are safe in their hands."

http://news.excite.com/news/r/000613/18/crime-nuclear-computers

-- Martin Thompson (mthom1927@aol.com), June 13, 2000