Audit Report: IG-0631

A significant number of the Department of Energy (Department) sites
were not taking appropriate action to report computer attacks, probes,
or compromises. Specifically, computer incidents were not always
being reported to the Computer Incident Advisory Capability (CIAC) as
required by Departmental guidance. Office of Inspector General
Technology Crimes Section (Technology Crimes) and Federal
counterintelligence officials were also not always notified of incidents
as appropriate.
Despite policy changes designed to increase awareness and specific
reporting guidance from the Office of Management and Budget
(OMB)1, most sites were not reporting malicious or persistent computer
attacks. For example, 43 of 80 (54 percent) of the Department's
organizations made no reports of malicious activity to CIAC during
FY 2002. As noted by senior cyber security officials at Headquarters, it
is improbable that non-reporting organizations were not subject to
significant or unusually persistent attacks or probes considering the
dramatic increase in malicious attacks or reconnaissance of Federal
systems. This view is bolstered by data furnished by the Federal
Computer Incident Response Center indicating that computer incidents
increased Government-wide by more than 7,000 percent during
FY 2002.onsent