Lag time raises questions

-A A +A
By John Severance

Present and former Los Alamos National Laboratory workers have received letters from the Department of Energy in the past two months alerting them to a cyber-incident at the end of July which resulted in the unauthorized disclosure of personal information on those employees.

One letter to a former LANL employee, who asked not to be identified, said, “the department is committed to notifying those that are affected by the incident and offering assistance on protecting themselves from potential identity theft. … You have been identified as one of the individuals affected by this incident.”

The letter told the former employee that the name, social security number, date of birth and possibly bank routing and account numbers may have been compromised.

DOE officials did not respond to requests for further information.

“I am really mad,” the former employee said. “I really can’t believe this and why it took so long to get notified.”

In the letter, DOE is offering those affected by the cyber-incident free credit monitoring for one year and that request must be made by Jan. 31.

The former employee is questioning why it took so long for the government agency to send notices out.

In the letter to this specific former employee, “we regret the delay between the initial announcement of this incident and the delivery of your notification. In many cases, there was insufficient contact information available.”

The DOE Inspector General, in a report, also weighed in on the cyber-attacks that may have affected up to 100,000 former and present employees, employee dependents and contractors.

It is believed that 1,400 present and former lab employees were affected. And LANL followed up with notices of its own to those potentially affected.

The Los Alamos Monitor also learned that DOE sent emails to those affected but a lot of them ended up in spam folders and were never seen. That is why LANL sent out its notices after getting the list from DOE.

The lab said in a statement, “No Los Alamos systems were compromised and the data was not accessed via the Los Alamos networks. The breach occurred on a non-LANL system and Los Alamos does not use the type of software involved.”

The IG report, released in late October, talked about its cyber concerns with LANL.

“We identified continuing concerns related to Los Alamos’ implementation of risk management, system security testing and vulnerability management practices. The issues identified occurred, in part, because of a lack of effective monitoring and oversight of Los Alamos’ cyber security program by the Los Alamos Site Office, including approval of practices that were less rigorous than those required by Federal directives. 

“In addition, we found that Los Alamos’ Information Technology Directorate had not followed National Nuclear Security Administration policies and guidance for assessing system risk and had not fully implemented the laboratory’s own policy related to ensuring that scanning was conducted to identify and mitigate security vulnerabilities in a timely manner.

The DOE IG also made the following recommendations in its report.

1. Correct, through the implementation of appropriate controls, the weaknesses identified within this report;

2. Ensure that policies and procedures are developed, as needed, and are implemented in accordance with Federal and Department requirements to adequately secure systems and applications;

3. Ensure that effective performance monitoring practices are implemented to assess overall performance for protecting information technology resources;

4. Fully develop and use plans of actions and milestones to prioritize and track remediation of all cyber security weaknesses requiring corrective actions; and

5. Ensure that the Department includes information for both Federal and contractor systems when reporting the status of performance metrics annually to the Department of Homeland Security.

In its response to the report, “Department management concurred with each of the report’s recommendations and indicated that corrective actions would be identified and tracked in the appropriate plans of action and milestones.

Meanwhile, the Aiken, (S.C.) Standard reported last month that an arrest was made in the July 2013 cyber-attacks.

The newspaper reported that Lauri Love, 28, of Stradishall, England was charged with conspiracy to access and damage the protected computer networks of multiple U.S. government agencies.