The nation's unclassified nuclear computer systems are vulnerable to successful cyber attacks because "generic" security contracts don't make it clear who's responsible for keeping an eye on them, federal watchdogs said Tuesday.
The Nuclear Regulatory Commission's cybersecurity center isn't "optimized to protect the agency's network in the current cyber threat environment," the NRC's inspector general office's said. The NRC's classified systems are separate and weren't addressed in the inspector general's report.
The finding comes at a time when the number of reported "computer security incidents" at the NRC is rising at almost twice the rate of the federal government as a whole, it said.
The "incidents" aren't detailed, but the inspector general said they include unauthorized access to unclassified NRC systems, injection of malicious code, "social engineering" attacks to obtain passwords and personal information and unauthorized scans and other access attempts.
The NRC had no comment. The inspector general said agency officials had stated their "general agreement" with its findings and recommendations, the results of an investigation that was conducted from July to November.
The outlines of the vulnerability are no secret. Two years ago, the Senate Homeland Security Committee criticized the NRC's cybersecurity infrastructure, alleging that the agency has regularly experienced "unauthorized disclosures of sensitive information."
NBC News Exclusive: Secret NSA Map Shows China Cyber Attacks on U.S. Targets
What the new report does is shine a light on why that's happening.
The report doesn't fault the staff of the Nuclear Security Operations Center, or SOC. They're meeting the requirements of their $252 million government contract, which expires in May 2017, it said.
The problems are in the contract itself, said the report, which found that the terms require staff to do little more than manage a few antivirus, anti-malware and anti-spam systems. And even then, there's no way to know for sure whether they're doing a good job.
"There are no performance goals," said the report, which means there's little way to determine "whether agency needs are being met."
In fact, the report said investigators had found exactly one numerical goal that could be reliably measured: "a specific time frame for updating security software on individual computers after they connect to the NRC network."
The report also found that:
- While contracts say procedures are supposed to be updated "as necessary," "necessary" is never defined, and there's no requirement to perform reviews to decide whether updates are needed.
- While someone's supposed to "gather and analyze statistical security information," the contracts never say who that is, or when and how they're supposed to do it.
- Monitoring of critical networks is behind the times, and when monitoring systems do detect something suspicious, investigators are hampered by a lack of clear guidelines on whom they're supposed to tell.
"NRC staff with an interest in SOC activities unanimously wished for proactive analysis and research into anomalies logged by network monitoring tools," the report said.
The inspector general recommended that the NRC rip up the "generic" security contract and write a new one that spells out who does what, how and when, and who's ultimately responsible.
"Robust SOC capabilities are particularly crucial given the sensitivity of the unclassified information processed on NRC's network, and the increasing volume of attacks carried out against Federal Government computer systems," it said.