By George Lobsenz
Despite repeated high-profile lapses in protecting sensitive weapons data–and continuing “significant weaknesses” in its classified data protection programs–only about one- tenth of the $433 million spent by Los Alamos National Laboratory since 2001 on its classified computer network has gone to its core cyber security program, according to a federal review.
The study by the Government Accountability Office (GAO) said while Los Alamos has taken steps to improve classified data security, about 74 percent–or $322 million–of the $433 million spent on operation and maintenance of the nuclear weapons lab’s classified network has been spent on buying and installing high-performance computers.
Another $48 million has been spent on expanding the classified network so that the lab could reduce data stored on “removable” memory sticks or computer disks that can be easily taken offsite, as happened in a widely publicized incident in October 2006 when memory sticks with classified data were found in the home of a lab employee during a drug raid by local police.
Only $45 million has been spent on core cyber security programs, leaving the lab with major vulnerabilities in its data protection programs, GAO said.
“While Los Alamos National Laboratory (LANL) has implemented measures to enhance the security controls protecting information stored on and transmitted over its classified computer network, significant security control weaknesses remain,” GAO said in a report to Democratic and Republican leaders of the House Energy and Commerce Committee and its oversight and investigations subcommittee.
“LANL had vulnerabilities in several critical areas, including (1) identifying and authenticating the identity of users, (2) authorizing user access, (3) encrypting classified information, (4) monitoring and auditing compliance with security policies, and (5) maintaining software configuration assurance,” said the Oct. 14 report, which was not publicly released until mid-November.
In general, GAO said the lab had made progress in walling off its classified network from external access, but still had weaknesses that could be exploited by a knowledgeable insider. At the same time, it said LANL had not yet established an effective internal computer security program that identified risks, enforced compliance with protection procedures and tested the effectiveness of its safeguard programs.
GAO said a major problem was LANL’s decentralized management, which makes each operating division at the lab responsible for its own classified data security. GAO said that had led to “a patchwork of cyber security practices and procedures, which increases the risk of compromise….”
For their part, Los Alamos officials said part of the problem was that they had not received requested cyber security funds from the National Nuclear Security Administration (NNSA), the semi-autonomous Energy Department agency that oversees the department’s nuclear weapons complex.
In that regard, GAO noted that the directors of Los Alamos, Sandia and Lawrence Livermore national laboratories wrote the NNSA administrator in September 2006 to warn that cuts in cyber funding would expose the labs and NNSA to unacceptable security risks.
In addition, GAO said DoE’s Office of Independent Oversight said in a 2007 report that NNSA had not provided adequate funding for LANL’s cyber security program because NNSA lacked a formal, risk-based process for allocating cyber security funds across the weapons complex.
GAO said it was told by NNSA officials that funding decisions for cyber security programs were based on “available resources and risk evaluations conducted complex-wide and at individual sites, including LANL.
“As part of its budget process, NNSA determined that LANL’s request exceeded available resources and, as a result, NNSA only partially funded the laboratory’s cyber-security budget requests,” GAO said.
While cutting LANL’s cyber security funding, NNSA early in 2007 lowered the boom on LANL by issuing a rare secretarial compliance order directing the lab to take specific actions to address cyber weaknesses. The order followed in the wake of the highly embarrassing October 2006 incident in which memory sticks with classified data were found during the drug raid at a lab employee’s home.
GAO said LANL had taken measures to satisfy the compliance order, but that DoE and NNSA officials had expressed continuing concern to GAO about the lab’s ability to sustain security improvements over the long term.
GAO said the key to maintaining cyber security at LANL was to ensure effective federal oversight, but that NNSA’s Los Alamos site office currently lacked sufficient security experts to provide effective oversight. GAO also said the head of the NNSA site office had told GAO that no additional federal cyber security staff were needed.
In its official response to the GAO report, NNSA said it generally agreed with the GAO report, although the agency suggested the report had not adequately acknowledged cyber security improvements recently made at the lab. But GAO said the effectiveness of those improvements had not yet been tested, and thus could be not assured. It also recommended that NNSA review effectiveness of LANL’s corrective actions within 12 months of their completion.