Energy’s Cyber Response Office Misspent Millions Due to Lack of Budget Management

Igor Borisenko/iStock.com

Complaints alleged the relatively new CESER misspent $11.7 million, though the inspector general could only substantiate some of those claims.

A special cybersecurity office established a few years ago within the Energy Department had some suspicious spending habits, most of which seemed to be resolved after a change in leadership, according to complaints investigated by the agency inspector general.

The Office of Cybersecurity, Energy Security and Emergency Response, or CESER, was created in 2018 to help protect the nation’s energy infrastructure from emerging threats, chiefly those coming from cyberspace and other digital means. The IG report notes Congress has given CESER $276 million to date—$120 million in fiscal 2019 and $156 million in 2020—and the office has requested $185 million in 2021.

An inspector general report released Monday compiles several complaints alleging mismanagement, including the inappropriate use of $11.7 million allocated to the office and a lack of staff dedicated to managing the budget.

The IG received several allegations, which the office divided into four buckets:

  • CESER lacks internal control policies and procedures and a full-time staff to oversee its budget.
  • $7.5 million in funding allocated to a national lab was used to finance a startup company.
  • $2.2 million in software licenses were purchased but never used.
  • $2 million in CESER funds were used to update a website run by the General Services Administration.

The audit substantiated two of the four claims—the lack of internal controls and purchase of unused software licenses. The other two complaints were not fully substantiated, though the IG questioned whether those funds were being spent wisely.

In a complaint filed with the IG, a tipster alleged that $7.5 million allocated to the Idaho National Laboratory were used to fund a startup company. The IG confirmed that CESER allotted funds to INL to “further develop the Cyber Analytics Tools and Techniques program,” but could not substantiate claims that the funds were funneled to a startup business.

That said, the program is suspicious, according to the report.

“While $4 million of the funds were returned to the department’s Office of the Chief Financial Officer after a change in management within CESER in February 2020, the project was being reconsidered near the end of our review,” the report states. “However, management indicated that this effort was paused pending completion of our review.”

Another complaint focused on the same program alleged CESER officials spent $2 million fixing the Login.gov web portal—a single sign-on tool developed by GSA and made available to federal agencies for a fee.

The IG determined that the funding was not used to upgrade the Login.gov web portal; however, $2 million was set aside for an interagency agreement between CESER and GSA to better integrate Login.gov tools in the Cyber Analytics Tools and Techniques program. While this use of funds was deemed appropriate, the IG had issues with the results.

“Despite the use of a portion of the allocated CESER resources, a CESER official stated that the program remained non-operational at the time of our review,” the report states. “Therefore, we questioned the use of more than $128,000 in expenditures by CESER.”

All of these issues stemmed from the first: a lack of budget controls and management.

“In particular, despite concerns being raised by several program officials, senior CESER management had not taken action to establish program-level internal controls, such as policies and procedures,” the IG wrote. “The lack of program-level internal controls also contributed to identified weaknesses related to software acquisitions, the direction of program funds, and contracting for GSA services prematurely. Had adequate controls been implemented, the weaknesses could have been identified and actions taken to ensure activities were conducted in accordance with laws and regulations.”

The watchdog also noted CESER leadership could have asked for help from colleagues with the Energy Department, such as the Office of Electricity, “which could have enhanced the control environment.”

Overall, the IG said CESER appears to be moving in the right direction.

“To its credit, CESER management has taken a number of positive actions related to acquisitions beginning in February 2020,” the report states. “These actions are encouraging and, when fully implemented, should address many of our report’s concerns.”

The report repeatedly cites February 2020 as a key turning point, noting “a change in management” as the office’s first director, Karen Evans, was replaced by former NSA official Alexander Gates.

The IG made four recommendations to help ensure the program doesn’t backslide:

  • Develop and implement an internal control program that includes documented policies and procedures related to areas such as contract and financial management, procurement and staffing.
  • Ensure that federal and department procurement requirements are followed related to areas such as acquisition of commercial software licenses, contract management and the use of interagency agreements.
  • Evaluate and determine whether GSA’s Login.gov services should be utilized within CESER and, if not, ensure that funds are returned to CESER.
  • Ensure the department’s Office of the General Counsel has access to all meetings related to CESER’s procurement process and a concurrence role when program decisions deviate from federal requirements or Office of the General Counsel’s advice.

"The Department of Energy appreciates the Inspector General’s review of mismanagement in CESER," an Energy Department spokesperson told Nextgov. "DOE concurs with the findings and is taking steps to fix the issues outlined in the report."

Editor's Note: This story has been updated with a comment from the Energy Department.