Inspector General Gregory Friedman hopes to lock down security on the Energy Department's interconnected computer networks, after auditors called 132 security breaches serious enough to report to law enforcement in fiscal 2006 — 22 percent more than in the prior year.

The department's 69 organizations support as many as eight separate intrusion and analysis groups, which do not use a common incident-reporting format and do not always retain crucial information about cyberattacks, the IG said in a report released today. Some sites opt out of monitoring their networks or even disable the sensor equipment.

Energy has found such cyber weaknesses before but "does not specifically require that incidents be reported to law enforcement or counterintelligence officials," the report said. The IG recommends:

• Developing and implementing an enterprisewide cyber incident management strategy
• Taking a consistent approach to developing or revising policies across all Energy organizations.
  
• Finding a way to periodically test and evaluate the department's overall performance in cybersecurity incidents.

The Office of the Chief Information Officer's Computer Incident Advisory Capability has been watching cybersecurity and providing computer forensics services to the department since 1989, at a cost of $6.8 million in fiscal 2006, the IG report said. Nevertheless, other groups, such as the National Nuclear Security Administration's Information Assurance Response Center and smaller organizations at various Energy sites, compete with CIAC for authority and funding. 

The CIO in 2006 called for "an integrated approach to management of cyber incidents." The department's most recent guidance, however, does not cover communications and coordination in "Incident Management Guidance," known as CS-9. A draft replacement known as "Technical and Management Requirement 9" does not address the duplication of security efforts, the IG said. Plans to revitalize policies within 60 days of the February 2006 acceptance of a similar report have yet to be approved.

The IG report said it took 10 months to learn that a hacker had stolen the names and Social Security numbers of 1,500 Energy employees from an NNSA site in 2005. Seven of 11 field sites audited, three federal and eight contractor-operated, have not identified which of their systems store such personal information or evaluated the risks of exposing it.

Energy's CIO will now draft a formal departmental cybersecurity strategy by March 31, according to the report.