The Nuclear Regulatory Commission stored sensitive data about nuclear plants on an unprotected, shared drive. The data contained detailed plans of nuclear facilities, along with the credit card number, home address and phone number of an NRC commissioner.
Coburn described NRC’s approach to cybersecurity as “general sloppiness.”
“Problems were identified but never scheduled to be fixed; fixes were scheduled but not completed; fixes were recorded as complete when they were not,” he wrote.
In January 2013, hackers were able to download a database from the U.S. Army Corps of Engineers that contained information about 85,000 dams in the nation.
Coburn said cyber attacks on agency systems are often the result of weak or out-of-date software.
“Failing to install software patches or update programs to their latest version create entry points for spies, hackers and other malicious actors,” he said in the report.
“The department’s inspector general blamed the theft in part on a piece of software, which had not been updated in over two years, even though the department had purchased the upgrade,” Coburn wrote.
The Internal Revenue Service allowed its employees to create simple passwords, making them an easy target for hackers. Some passwords included the person’s name, the word “password,” the agency name and “qwerty.”
President Barack Obama’s executive order on Improving Critical Infrastructure Cybersecurity addressed securing agency computers to better protect the nation’s infrastructure.
Coburn said agencies are developing plans and working with the private sector to implement the executive order.
“As we move forward on this national strategy to boost the cybersecurity of our nation’s critical infrastructure, we cannot overlook the critical roles played by many government operations, and the dangerous vulnerabilities which persist in their information systems,” he said.