Report spanks cyber-security at Los Alamos National Lab (again)

As one of the nation's premier national security labs and one of three nuclear weapons facilities - and after a series of high-profile security flubs --  one would think they'd go out of their way to get the facility's security act together. Apparently not.

Watchdogs at the Government Accountability Office  said today that while the Los Alamos National Lab has indeed bolstered some of its cyber protection, weaknesses remain in protecting the confidentiality, integrity, and availability of information on its unclassified network, among other deficiencies. LANL's unclassified network contains sensitive information, such as unclassified controlled nuclear information, export control information, and personally identifiable information about laboratory employees.

Some specifics of the report include:

  • LANL has implemented a network security system that is capable of detecting potential intrusions; however, the GAO found vulnerabilities in several critical areas, including identifying and authenticating users; encrypting sensitive information; and monitoring and auditing compliance with security policies. For example, LANL has implemented strong authentication measures for accessing its unclassified network, but once access is initially gained, a user can work around the authentication measures to access certain sensitive information. A key reason for LANL's information security weaknesses is that the laboratory has not fully implemented an information security program to ensure that controls are effectively established and maintained, the GAO stated.
  • At the time of our review, LANL had not implemented complete security solutions to address either the storage of classified nuclear weapons parts in unapproved storage containers or weaknesses in its process for ensuring that actions taken to correct security deficiencies are completed.
  • Management approaches that LANL and National Nuclear Security Administration (NNSA) officials told us they would use to sustain security improvements over the long term were in the early stages of development or contained weaknesses.
  • The lab's ability to sustain its improved physical security is unproven because (1) the laboratory appears not to have done so after a significant security incident in 2004, and (2) NNSA's Los Alamos Site Office-which is responsible for overseeing physical security at LANL on a daily basis-may not have enough staff or the proper training for these staff to execute a fully effective security oversight program.
  • The labs cyber security officials told the GAO that funding to address some of their security concerns with respect to the laboratory's unclassified network has been inadequate. Officials told the GAO LANL has not adequately justified its request for additional funds, and NNSA is developing a process for developing cyber security budgets more systematically. We made 52 recommendations to the Secretary of Energy and the Administrator of NNSA that, if effectively implemented, would improve LANL's information security program and controls over its unclassified network. These recommendations address, among other things, ensuring that LANL's risk assessment for its unclassified network evaluates all known vulnerabilities and is revised periodically, and strengthening policies with a view toward further reducing, as appropriate, foreign nationals' access to the unclassified network, the GAO stated.
  • LANL's most recent risk assessment for its unclassified network generally identified and analyzed vulnerabilities, but did not account for risks identified by the laboratory's own internal vulnerability testing. Furthermore, the GAO and other external security evaluators have reported concerns about LANL's policies for granting foreign nationals-particularly those from countries classified as "sensitive" by DOE-access to the unclassified network.

In addition to it previous recommendation, the GAA said it made an additional 41 recommendations that it did not pubically  disseminate.

             Layer 8 in a box

Check out these other hot stories:

Researchers look to root out those annoying Wi-Fi dead zones

NASA unleashes rubber ducks to battle global warming

Deficit remains but US exports $214B worth of high-tech goods in 2007

Robot fights set to smack-down in Texas

NASA banging, freezing next generation space telescope into shape

GAO report torches US for dumping electric waste in foreign countries

FTC wants to clamp down on prepaid phone card deception

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)