House probes cyber security

-A A +A
By Roger Snodgrass

A House investigations subcommittee resumed scrutiny of security issues at the national weapons labs Thursday in Washington, D.C., with more than one suggestion that Los Alamos National Laboratory may have turned a corner.

The meeting was a follow-up on security at LANL, but new concerns about a physical security failure at Lawrence Livermore National Laboratory drew sharp attention.

LANL Director Michael Anastasio joined directors of the other two national labs and Department of Energy security officials at the hearing.

“I am pleased to report that at Los Alamos, we now have a record of successes, in both physical security and cyber security,” he said in an oral statement.

Anastasio and the others responded to a number of recent Government Accountability Office (GAO) and DOE Inspector General audits, along with testimony by the responsible officials during the hearing.

“Physical security at LANL is in a period of significant improvement and LANL is implementing over two dozen initiatives to better protects its classified assets,” stated the lead sentence in GAO’s formal testimony. “However, while LANL’s current initiatives address many physical security problems previously identified in external security evaluations, other significant problems have received insufficient attention.”

“The conclusions are mixed,” House Energy Committee Chairman Rep. John Dingell (D-Mich.) said in his opening remarks, noting signs of improvement in the latest report, “enough to make me cautiously optimistic that lab security is in some ways improving.”

Remaining concerns focused on LANL’s unproven ability to sustain its security improvements over the long term.

“The labs appear to improve when they’ve had a mishap and they know they’re under scrutiny,” said subcommittee chair Rep. Bart Stupak, D-Mich.

“How do we break the cyclical nature of that?”

One answer, according to Gregory Wilshusen, GAO’s director of information security issues was better oversight – possibly hampered by insufficient and inadequately trained staff at the local site office of the National Nuclear Security Administration (NNSA) – and better use of incentive mechanisms in the contract for rewarding or penalizing security program performance.

New issues in cyber security were raised as a result of a “red team” exercise involving two of the labs, which were not identified.

Glenn Podonsky, DOE’s chief health, safety and security officer reserved discussion of findings from the exercise to a closed-door session with the subcommittee members.

“In under 90 days we were able to take over the network of two of the labs,” he said during the public hearing, adding that more vulnerabilities would have been found with more than a handful of people and more time.

Special attention was given to a difficult issue having to do with access by foreign nationals working at the three laboratories. Each laboratory was working separately on the matter, which was considered a significant weakness at LANL in DOE evaluations last year.

As of May 2008, 688 foreign nationals had been granted access to LANL’s unclassified network, including about 300 from countries identified as “sensitive.” Sandia Director Thomas Hunter reported 11 foreign nationals, none of whom are from “sensitive” countries. The “sensitive” designation is based on national security, nuclear nonproliferation and terrorism concerns, according to a footnote in the GAO report.

All three lab directors outlined various precautions they have taken or are beginning to take on their information networks to respond to these concerns.

LLNL George Miller said his laboratory was adding a fourth network, a “blue” network for foreign nationals.

Anastasio said LANL didn’t have a “blue” network, but rather “a segmented element” on the unclassified network that is essentially the same thing.

Over a seven-year period from 2001, LANL has spent $51.4 million to protect and maintain its unclassified network, but officials told GAO that funding has not been adequate to address some security concerns. NNSA said the fault was LANL’s for not adequately justifying requests for additional funds.

The committee also discussed emerging security issues at LLNL, which went from a top rating in 2007 to the lowest possible rating during the spring based on a DOE evaluation for protective force performance and protection of classified resources.