The Department of Energy Is Under Attack. Cyber Attack
By: Hundreds of pages of emails released Thursday to CNBC in response to a Freedom of Information Act request paint a picture of a federal agency aggressively responding to a series of what it sees as hostile attempts by private sector firms to access its website at times when market-moving economic data are released to the public.
In a letter to CNBC, the Department of Energy revealed that the federal government is mounting an “ongoing investigation of a confidential nature” into the activities of private sector firms accessing the Department’s website.
The documents released “are records that were compiled for the purposes of monitoring, detecting and enforcing potential violations of certain Federal laws and regulations,” wrote Alexander Morris, the FOIA officer for the Department of Energy’s Office of Information Resources.
But the documents are heavily redacted, and in most cases, the Department of Energy has declined to disclose the names of the firms that it blocked from accessing its website or that it corresponded with about blocks. Click Here to Read the Department of Energy Letter and FOIA Documents.
“The release of individual and company names has the potential of compromising any investigation and resulting enforcement proceeding,” Morris wrote. “Release of this information would also disclose the focus and parameters of the investigation in its infancy and potentially cause the destruction of evidence.”
The new documents come at a time when Washington is increasingly focused on how highly valuable government information is released to the public, and whether some well-connected high-speed investors can get an unfair advantage in the market as a result. But efforts to clamp down have proven controversial.
On Wednesday, the House Oversight and Government Reform Committee examined complaints by news organizations about new regulations at the Department of Labor governing release of the highly anticipated monthly jobs report. Journalists are concerned about new security rules that would require them to use government computers, telecommunications lines and even pens and paper.
The Department of Energy similarly releases market-moving information on its website on a regular basis, such as the weekly natural gas storage report, which have an immediate impact on industry players and Wall Street traders betting on prices in energy commodities markets. Advance notice of the numbers—even by a little as a few milliseconds—could be enormously valuable to a savvy trader able to immediately place bets in the market.
Previous Accusations Of 'Malicious Intent'
Officials at the Department of Energy have previously said some users appear to have a “malicious intent” to slow down the website’s release of data for the general public while speeding it up for themselves. And they’ve said that they respond by blocking the IP addresses of firms that violate their rules on the number of times per second a given IP address can hit the Department of Energy’s servers.
But in the new document release, the Department of Energy argued that some of the firms may have committed inadvertent breaches of its rules. “While some of the individuals linked to the blocked IP addresses may have been involved in prohibited conduct, it is not clear that all of them were so involved,” Morris wrote.
“Some of the IP addresses may have been blocked as a result of a users’ technical operational error. Although the DOE recognizes there is a significant public interest in the identities of users who were overly aggressive in accessing [Energy Information Administration] data, not all of the users included on the blocked IP addresses were acting with an intent to cause delays to other users accessing [Energy Information Administration] data.”
“Therefore, we have determined that the individual privacy interests outweigh the public’s interest in their identities.”
Taken as a whole, the emails released to CNBC show that people representing energy companies, trading firms, and even a journalistic organization have been blocked by the Department of Energy for aggressive use of the website.
And the emails show long series of communication between some of the firms and the Department of Energy as they try to reset their settings to stay inside the government’s website rules. Other entities, however, appear to ignore complaints from the government about their access of the data.
It is the entities that do not respond at all to government attempts to get them to slow down that are most concerning to experts. The emails generally reveal that those firms corresponding with the government were able to come to a mutually agreeable resolution, although several were involved in multiple incidents and were blocked on multiple occasions.
Among those firms that did respond, many of executives corresponding with the government apparently represented the IT departments of large organizations. But others had titles such as “Commodities and Energy Global Service Manager,” “Natural Gas and Power Analyst,” and “Fuels Trader.”
Complaints About The Rules
In the emails, several of the firms complain to the Department of Energy that they can’t abide by the department’s connection rules if the department will not tell them what they are. Government officials routinely tell the firms to lower the number of times per second they access the website, but refuse to tell them what number of hits per second is acceptable. In fact, the Department of Energy, in an effort to protect technical secrets and safeguard its IT processes, has redacted from the documents released to CNBC all of the references to the specifics of what the firms were doing that were objectionable.
“Specific information withheld from these documents includes the number of times per second an automated retrieval program, or ‘robot,’ attempts to access EIA’s website before EIA blocks its Internet Protocol (IP) address,” Morris wrote in his letter to CNBC.
However, in an email dated June 7, 2011, an information security official for a firm called OGE Energy told the Department of Energy that in order to remove the government block, it will reduce its rate to an estimated 75 hits per second. The next notation in that file appears to show that the Department of Energy subsequently unblocked the firm. OGE Energy did not immediately respond to a request for comment from CNBC on Thursday.
In another case, a firm executive sent an email to a Department of Energy contact complaining in part about the opacity of the rules. “We discussed the fact that we were accessing the below mentioned site too many times [Redacted] at 10:30 a.m. last Thursday, the normal publishing time for the data which our organization requires. This resulted in our blacklisting. When I asked how many times [Redacted] is considered reasonable, you said this information cannot be divulged.”
The Department of Energy contact replied simply, “[Redacted] per second is extremely too high.”
The relationship between the government and the private sector firms is occasionally testy. In one case a firm emails with a request: “Please unblock our IP address. We are valid, legitimate consumers … this mistake delayed our attempts to retrieve this important data.”
But the government official was unmoved. “This was not a mistake, this is the SECOND incident,” he responded.
Computer Security Lingo
In several instances, Department of Energy officials emailed among themselves about the types of attacks they were seeing.
In one case, a contractor emails her colleagues about a specific incident: “I want to point out that [Redacted] excessive behavior yesterday was not the result of multiple IPs accessing the data but in fact a single IP that hit us for over [Redacted] right at 10:30. To be clear these connections were not all GET requests, but actual SYN Flooding where they sent us traffic and opened connections without actually requesting data—they were just taking up available download slots.”
A SYN attack is a type of denial of service attack that’s designed to slow down a computer server for legitimate traffic. A GET request asks for a web page from a server.
In other correspondence between themselves, Department of Energy officials spot people accessing the government website and “Jumping IP addresses.” That’s a method of hiding a person’s IP address from the site the person is trying to access, and it can make it appear that a user is someone he or she is not.
Elsewhere, a staffer alerts colleagues, “Wild Blue is hitting the site from multiple ranges.”
