Feds fault lab cyber security

-A A +A

LANL disputes characterization

By Roger Snodgrass

In answer to a bipartisan request by the leadership of two committees in the House of Representatives, the Government Accountability Office identified a number of “shortcomings” in the cyber security program at Los Alamos National Laboratory.

Cyber security encompasses a number of activities that attempt to prevent unauthorized disclosure of sensitive information on the laboratory’s classified computers.

“While the laboratory has taken steps to protect information on its classified computer network, a number of security weaknesses remain,” GAO concluded.

Laboratory spokesman Kevin Roark said the lab recognizes that cyber security threats “relentless and increasing,” but disagreed with the characterization of cyber security at LANL as “lax.”

“The vast majority of issues raised in the GAO report have been resolved, many issues were fixed as they were identified, and we continue to make improvements.  All of these issues have previously been widely reported in the press, and no new issues have been raised by this GAO report,” he said in a prepared statement this morning. “All classified data at Los Alamos is extremely well protected and isolated from the Internet, and all indications – including other external audits — confirm that this most important of information continues to be safe.”

LANL critic Jay Coghlan, executive director of Nuclear Watch New Mexico saw a discrepancy between what the laboratory spends on “fancy and speculative ‘high performance computing’ (illustrated by a graph in the report) – about $70 million in 2008, versus the ‘core classified Cyber Security Program (about $5 million in the same year).”

“Clearly the lab was more focused on having bragging rights for the fastest

supercomputer rather than being 100 percent vigilant about protecting the nation’s nuclear secrets,” he said.

The shortcomings discussed in the report represent “vulnerabilities in several critical areas, including (1) identifying and authenticating the identity of users, (2) authorizing user access, (3) encrypting classified information, (4) monitoring and auditing compliance with security policies, and (5) maintaining software configuration assurance

In the report released late Friday, “Actions Needed to Better Manage, Protect, and Sustain Improvements to Los Alamos National Laboratory’s Classified Computer Network,” GAO recited the history of cyber security problems.

The 10-year list goes back to the Wen Ho Lee case in 1999, when classified information was recorded on unmarked disks that were taken out of the laboratory and never found after they were said to have been dumped in the Los Alamos County landfill.

That incident was followed in 2000 by the loss and discovery behind a copying machine of classified removable media (CREM) containing nuclear weapons design information used by the National Emergency Search Team. Then in 2003 and 2004, the lab was unable to account for compact disks and removable hard drives.

This difficult period culminated in a highly publicized thumb drive incident, in which many pages of documents and electronic data were discovered in a trailer park during a drug investigation in October 2006.

That was figuratively the last straw for then-Energy Secretary Samuel Bodman.

Under pressure from several of the congressmen who requested the current study, Bodman proceeded to hold strictly accountable both the former contractor, the University of California and the successor contractor, Los Alamos National Security, LLC.  

At that time a number of reforms were supposed to have been completed, but on closer inspection, GAO said they are not adequate.

At the same time, GAO acknowledges that “in the laboratory’s view, funding for its core classified cyber security program, in particular has been inadequate for implementing an effective program.”

A joint letter from the directors of the three national nuclear weapons labs in 2006 to the National Nuclear Security Administrator put them on record that the funding was inadequate and “would expose the laboratories and NNSA to an unacceptable level of security and operational risk.

LANL requested $44 million for its cyber security program between 2007 and 2008 but only received $33 million.

GAO also noted that a DOE oversight office concluded that NNSA had short-changed LANL’s cyber security funding and that NNSA had decided that the funding request exceeded available resources and therefore could not be met.

In a letter expressing general agreement with GAO’s findings, a senior NNSA official emphasized the significant progress LANL has made and blamed NNSA’s deficiencies on problems associated with implementing complex-wide reforms in a dynamic cyber-environment.