Zombie invasion alert recalled as US Senate criticises slack cybersecurity

PUBLISHED : Wednesday, 05 February, 2014, 4:47am
UPDATED : Wednesday, 05 February, 2014, 4:52am

The message broadcast in several states last winter was equal parts alarming and absurd: "Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living ... do not attempt to approach or apprehend these bodies, as they are considered extremely dangerous."

The reported zombie invasion was not something out of the The Walking Dead. It was the US federal Emergency Alert System under control of hackers - who exploited weaknesses that are disturbingly common in many critical systems throughout government, according to a Senate cybersecurity report.

US officials have warned for years that the prospect of a cyberattack is the top threat to the nation and have sharply increased spending for computer security.

Yet the report by the Republican staff of the Senate Homeland Security and Governmental Affairs Committee says that federal agencies are ill-prepared to defend networks against hackers.

"As a taxpayer, I'm outraged," said Alan Paller, who is research director at the SANS Institute, a cybersecurity education group. "We're spending all this money and getting so little impact for it."

The report cited repeated failures by federal officials to perform the unglamorous work of information security.

That includes installing security patches, updating anti-virus software, communicating on secure networks and requiring strong passwords. A common password on federal systems, the report found, is "password".

The bogus zombie alert - carried by television stations in Michigan, Montana and New Mexico - highlighted flaws in the oversight of the Emergency Alert System, which is mandated by the Federal Communications Commission and managed by the Federal Emergency Management Agency.

"Almost every agency faces a cybersecurity challenge," said Michael Daniel, special assistant to the Obama administration on cybersecurity policy. "Some are farther along than others in driving awareness of it."