U S Department of Energy Office of Inspector General Office of Investigations ·Investigative Report to Management • •- ¥ ··-· · ' · ' • ' · · ·' '-· • _ · -· U S Department of Energy Office of Inspector General Office of Investigations January 24 2012 MEMORANDUM FOR THE CHIEF INFORMATION OFFICER NATIONAL NUCLEAR SECURITY ADMINISTRATION FROM l b K6l b X7 C Technology Crimes Section SUBJECT Investigation of Unauthorized Disclosure of Information by an Employee of the National Nuclear Security Administration OIG Case No 112TC001 This report serves to inform you of the results of an investigation by the U S Department of Energy DOE Office of Inspector General OIG Office of Investigations Investigations The investi ation involved alle ations of unauthorized release of sensitive cyber security information ncident Assurance Response Center IARC National Nuclear b b 5 b 7Jcc Security Administration NNSA Las Vegas NV Specifically it was alleged that b 6 JCbJ 7 J CJ publicly posted sensitive computer network security information to the Internet from August 3-8 2011 This information included approximately 4 838 proprietary intrusion detection signatures which allow NNSA cyber security to detect known security threats to the Department's unclassified network b 6J 7 C b 6 b 7 In summary prior to OIG involvement an IARC internal llilVestigation found that CC did publicly post the identified sensitive information and that 1 onduct was in violation o OE oli re ing the handling of information class· cial Use Only As a result b 6 b 7J CJ the IARC contract by b e The Assistant United States Attorney for District of Nevada Las Vegas NV declined to prosecul Cbl 6 bJC7 JCCJ The OIG's subsequent investigation found that the NNSA was in violation of DOE policy regarding proper reporting of cyber incidents of this type Specifically DOE Order 205 lB Department of Energy Cyber Security Program states that this category of cyber security incident shall be reported to the Department's Joint Cybersecurity Coordination Center JC3 within 4 hours after learning of an incident The NNSA never reported the above cited incident through official channels to the JC3 The JC3 independently learned of the incident through an anonymous source and published an incident report regarding the matter on October 17 2011 69 days after the incident was originally identified by the IARC August 8 2011 OIG Case No Il2TC001 i This document is for 1 21 lta •11 2l fL I Public disclosure is detennined by the Freedom of Information Act Title 5 U S C Section 552 and the Privacy Act Title 5 U S C Section 552a Additionally and for your information the OIG is conducting an audit of the Department's incident response management progi'am The audit report when completed will be forwarded to the Department for review This report makes 3 recommendations for corrective action related to potential control deficiencies U ·Q ns or further information regarding b 6 b 7 C at 202 586 this report please contact Special Agent b S b C7 b 6 b 7 C OIG Case No 112TC001 This document is for GI I ICE CSE 6142 I Public disclosure is determined by the Freedom of Information Act fitle 5 U S C Section 552 and the Privacy Act Title 5 U S C Section 552a ii INVESTIGATIVE REPORT TO MANAGEMENT I ALLEGATION On October 6 2011 the U S Department of Energy Department Office of In U•t al · an allegation from the DOE Chief Information Security Office tha b S bX7 C 7 Cb C Incident Assurance Response Center IARC National Nuc ear Security il LLl stration NNSA posted approximately 4 838 sensitive computer intrusion detection signatures to a publicly accessible Internet website for a period of six days According to a report provided by the complainant this information was discovered by the DOE Computer Security Incident Response Team CSIRT Los Alamos National Labs Los Alamos on August 8 2011 The CSIRT reported the incident to the IARC on August 8 2011 Additionally the 010 is conducting an audit of the Department's incident response management program titled The Department's Cyber Security Incident Management Program The audit's purpose is to determine whether the Department has developed and deployed an effective enterprise-wide cyber security incident management program The audit report when completed will be forwarded to the Department for review II POTENTIAL STATUTORY OR REGULATORY VIOLATIONS The OIG investigation focused on potential violations of reporting and notification procedures regarding cyber security incidents in accordance with DOE Order 205 lB Department of Energy Cyber Security Program which states under section 4 c l3 that A defined process for incident reporting that requires all cyber security incidents involving information or information systems including privacy breaches under DOE or DOE contractor control must be identified mitigated categorized and reported to the DOE Cyber Incident Response Capability DOE-CIRC and now known as JC3 in accordance with OOE-CIRC procedures and guidance This document outlines the referenced DOE-CIRC reporting procedures and guidance to facilitate your reporting and CIRC's response activity CIRC should be informed of all reportable cyber security incidents as specified below CIRC will work with your site management to determine the severity or significance of any cyber security incident Further guidance contained in the order states that Information Compromise is a type l low security incident which is defined as Any unauthorized disclosure of information that is released from control to entities that do not require the information to accomplish an official Government fimction such as may occur due to inadequate clearing purging or destruction of media and related equipment or transmitting information to an unauthorized entity OIG Case No I12TC001 1 This document is for UFFICiAE BBS 8$1 ¥ Public disclosure is determined by the Freedom of Information Act Title 5 U S C Section 552 and the Privacy Act Title 5 U S C Section 552a The incident in question falls under the category of a type 1 incident JC3 requires type 1 incidents to be reported to them within 4 hours m INVESTIGATIVE FINDINGS Summary The OIG investigation found the NNSA did not follow proper procedure in accordance with DOE Order 205 1 B requiring the reporting of cyber security incidents to appropriate authorities within a specified timeframe Details Unauthorized Posting ofSensitive Cyber Security Information to a Public Website b 6 b 7 C OIG review of an internal NNSA IARC report pf investigation re n the incident in uestion revealed that sensitive cyber security informatipn in the possession o 5 b 7 1 National Nuclear - -ecun ---- - - -str ati o-n__ Incident Assurance Response Center NNSA Las Vegas NV was uploaded b I to a commercial Internet cloud storage service known as box net for a period of approxima e y 41 days The sensitive information was in the form of proprietary intrusion detection signatures which allow NNSA cyber security to detect known security threats to the Department's unclassified network r 1 b 6 b 7 C b 6 b 7 r uploading these detection signatures to box net C then linked the information to publicly available Internet blog for a period of six days The unauthorized posting of this rmation t sonal Internet blog was discovered by the DOE Computer Security Incident Response Teami CSIRT Los Alamos National Labs Los Alamos on August 8 2011 and subsequently re1 rted by CSIRT to the IARC on the same day · b 6 b 7 C Part Additionally as of its internal investigation found it to be a personal account accessible only t 5 bl 7 only to b S bl 7 C Fail ure to Properly Report a Cyber Security Incident NNSA never reported the incident in question to the Departmenes Joint Cybersecurity Coordination Center JC3 Instead when the IARC learned of the incident from the CSIRT it reported the matter to NNSA and then conducted its own internal investigation from August 8 2011 to August 10 2011 At the end of its internal investigation IARC concluded no compromise based on public disclosure of the cited information occurred It reached this conclusion despite specific regulatory Ian e to the con as found in DOE Order 205 1 B ed I' thi The IAR b 6 b 7 C t ear ier m s report b S b 7 Jcc 7 l S blC ecided not to report the incident to JC3 They briefed'------------ OIG Case No 112TC001 2 This document is for ePPieJs 215 'f filll I I Ill I Public disclosure is determined by the Freedom of Information Act Title 5 U S C Section 552 and the Privacy Act Title 5 U S C Section 552a b 6 C b __________ NNSA and 2 oncurred with this decision This position is contrary to the IB plain language of DOE Order IV COORDINATION The OIG coordinated this matter with Michael Chu Assistant United States Att USA 5 7 District of Nevada Las Vegas NV AUSA Chu declined criminal prosecution o CbX l in this case V RECOMMENDATIONS Based on the information in this report and other information that may be available to you the OIG recommends that the Office of Chief Information Officer NNSA I Determine if the IARC bas adequate controls in place to ensure compliance with DOE Order 205 IB Department of Energy Cyber Security Program 2 Determine if training is necessary regarding proper reporting procedures for incidents involving DOE Order 205 IB Department of Energy Cyber Security Program 3 Determine if periodic assessments should be conducted in the future to determine if events are being properly reported VI FOLLOW-UP REQUIREMENTS Please provide the Office of Inspector General with a written response within 30 days concerning any action s taken or anticipated in response to this report VII PRIVACY ACT AND FREEDOM OF INFORMATION ACT NOTICE This report including any attachments and information contained therein is the property of the Office of Inspector General OIG and is for 61116£ ill 688 Ori i The original and any copies of the report must be appropriately controlled and maintained Disclosure to unauthorized persons without prior OIG written approval is strictly prohibited and may subject the disclosing party to liability Unauthorized persons may include but e not limited to individuals referenced in the report contractors and individuals outside the Department of Energy Public disclosure is determined by the Freedom of Information Act Title S U S C Section 552 and the Privacy Act Title 5 U S C Section 552a OIG Case No Il2TC001 3 This document is for 81I128 2lS 682 6242 f Public disclosure is determined by the Freedom of Information Act Title 5 U S C Section 552 and the Privacy Act Title 5 U S C Section S52a DOB 1325 B 08-93 United States Government Department of Energy Memorandum August 9 2012 DM B IUIPI 'f ' O ATTH or l b 6 b 7 C I IG-24 _ _ _ _ _____ Special Agent b 6 b 7 C l oro - - - - - - - - - - - - - - - - - ' 1 1 echnology Crimes Section The purpose of this memorandum is to recommend the closing of OIG Case Number I l 2TCOO 1 ALLEGATION ICb 6 b 7 C I On October 7 2011 Special Agent SAJ 'echnology Crimes #l4LY- 1 Office of Inspector General QJG Department of Energy DOE was notified b b S b r C b 6 b 7 C l T • na1 N I s ' 1Natio uc ear ecunty Administrahon NN A o e alleged unauthorized disclosure of sensitive network security information by a contractor at the Information Assurance Response Center NNSA Las Vegas NV l ·POTENTIAL STATUTORY VIOLATIONS The investigation focused on a potential criminal violation of Title 18 U S C § 1030 Fraud and related activity in connection with computers INVESTIGATIVE FINDINGS The investigation did not substantiate allegations of a criminal nature However based on investigative findings a DOE OIG Incident Report to Management IRM was submitted to Robert Osborn Chieflnfonnation Officer OCIO NNSA on January 24 2012 The IRM made the foll wing three recommendations 1 Determine if the IARC has adequate controls in place to ensure compliance with DOE order 205 1 b Department of Energy Cyber Security Program 2 Determine if training is necessary regarding proper reporting procedures for incidents involving DOE order 205 lb Department of Energy Cyber Security Program and 3 Determine if periodic assessments should be conducted in the future to determine if events are being properly reported On April 9 2012 a written response was received from the OICO ofNNSA According to the written response NNSA management concurs with all OIG recommendations NNSA has requested regular assessments by DOE Office of Health Safety and Security HSSs of the IARC to determine if events are being properly reported and the staff is adhering to Department policies national standards accepted practices and procedures NNSA will request that HSS place special emphasis on OIG fmdings for the foreseeable future to insure no systematic issues remain COMMENDATION I Tiris case is being recommended for closure as all prudent investigative measmes were taken the allegation was substantiated and no further investigative activities remain should you have questions or require further information b 6 b 7 C pec1 gent Technology Crimes Section Office of Inspector General b 6 b 7 C -0 li4tLLl Dafo Technology Crimes Section Office of Inspector General