Emergency zombie warnings make Coburn's list of federal cyber failures

Thursday - 2/6/2014, 10:44am EST

Warnings of a zombie attack sounded in many cities across the U.S., as hackers broke into the Federal Communications Commission's Emergency Broadcast System.

"Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living," a voice announced, along with a warning beep.

This cyber failure was just one of many in Sen. Tom Coburn's (R-Okla.) report on cybersecurity and critical infrastructure in the federal government.

The report, released Tuesday, examined more than 40 inspector general audits and revealed gaping holes in the security of agencies' systems.

The Nuclear Regulatory Commission stored sensitive data about nuclear plants on an unprotected, shared drive. The data contained detailed plans of nuclear facilities, along with the credit card number, home address and phone number of an NRC commissioner.

Coburn described NRC's approach to cybersecurity as "general sloppiness."

"Problems were identified but never scheduled to be fixed; fixes were scheduled but not completed; fixes were recorded as complete when they were not," he wrote.

In January 2013, hackers were able to download a database from the U.S. Army Corps of Engineers that contained information about 85,000 dams in the nation.

Coburn said cyber attacks on agency systems are often the result of weak or out-of-date software.

"Failing to install software patches or update programs to their latest version create entry points for spies, hackers and other malicious actors," he said in the report.

The Homeland Security Department's IG found the agency failed to update basic software, such as Microsoft applications, Adobe Acrobat and Java.

DHS also rated below the governmentwide average for usage of anti-virus software, according to the Office of Management and Budget.

Many federal employees have had their personal information exposed or stolen because of insecure systems.

In July 2013, hackers stole personal information from thousands of current and former employees at the Department of Energy.

"The department's inspector general blamed the theft in part on a piece of software, which had not been updated in over two years, even though the department had purchased the upgrade," Coburn wrote.

The Internal Revenue Service allowed its employees to create simple passwords, making them an easy target for hackers. Some passwords included the person's name, the word "password," the agency name and "qwerty."

President Barack Obama's executive order on Improving Critical Infrastructure Cybersecurity addressed securing agency computers to better protect the nation's infrastructure.

Coburn said agencies are developing plans and working with the private sector to implement the executive order.

"As we move forward on this national strategy to boost the cybersecurity of our nation's critical infrastructure, we cannot overlook the critical roles played by many government operations, and the dangerous vulnerabilities which persist in their information systems," he said.

RELATED STORIES:

Agencies experiencing a widening cybersecurity reality gap

Coburn blasts DHS for gaps in its cybersecurity

Energy ups number of employees at risk after cyber attack to 53,000