Watchdog: Lab Spurned Tech Solution

As storage networking vendors pitch solutions to security breaches at Los Alamos National Laboratory, a government watchdog group says at least one suggestion -- the use of diskless workstations -- was turned down long ago (see Vendors Descend on Los Alamos).

According to the Project on Government Oversight (POGO), government reps turned down a proposal to eliminate the use of "classified removeable electronic media" (CREM) by lab scientists at least three years ago.

POGO says Los Alamos's chief information officer, along with CIOs from other U.S. Department of Energy labs and facilities, met in August 2000 to discuss the need for better security to protect nuclear secrets from "insider" threats, given that scientists at Los Alamos and elsewhere use portable Zip drives and other CREM in their work.

According to a report written by POGO in October 2001, the assembled technologists agreed that the chief threat to the safety of nuclear secrets at Los Alamos was the possibility that a "trusted insider" would walk off with secrets that hadn't been adequately safeguarded in storage.

"Everyone agreed that DOE had to move ahead quickly on the 'insider' problem before the Hill or the press found out that virtually nothing effective had been done to stop a dedicated insider," the report states. "An implementation strategy was established at the Livermore meeting for near-term enhanced security for classified systems including implementing 'media-less' computing systems... A schedule was developed during this meeting that would have had this system in place before the end of 2000 at a cost in the neighborhood of $10-15 million. The consensus was that these changes would have taken DOE from a low confidence level that a trusted insider could be stopped, to near certainty."Apparently, a move to diskless workstations was not to be. POGO says a representative from the National Nuclear Security Administration believed a move away from portable CREM would affect lab morale negatively.

Los Alamos spokesman Kevin Roark said earlier this week that diskless workstations, along with secure storage libraries, were being considered as part of a large-scale, multimillion-dollar effort to cut CREM at the lab.

CREM reduction is now seen as a means of halting security concerns at the lab, which rose to fever pitch and resulted in a lab shutdown last week when two items of classified CREM went missing.

Roark and other lab spokespeople could not be reached for comment on the POGO report.

A spokeswoman for NNSA says the POGO report applies to situations that occurred under the previous Clinton administration, with which she isn't familiar. But she says that back on May 7, Secretary of Energy Spencer Abraham outlined a Cyber Security Enhancement Initiative that includes the use of diskless workstations and beefed-up intrusion detection to avoid a CREM breach.Today (Friday, July 23), Abraham followed up with an order that calls for an "immediate stand-down" on the use of CREM in any Department of Energy facility. In a prepared statement, Abraham said: "The situation at LANL suggests that we must minimize the risk of human error or malfeasance to a much greater extent. Thus, while we have no evidence that the problems currently being investigated are present elsewhere, we have a responsibility to take all necessary action to prevent such problems from occurring at all. Therefore, I have directed that we stand-down all operations involving so-called controlled removable electronic media until such time as a site or facility conducts appropriate training, reviews security procedures, ensures complete and accountable custodial responsibility, and arranges for a complete inventory.

The new CREM drill involves a new CREM inventory at each site, and the use of unspecified kinds of "approved repositories" for zip discs and other removeable media. Specifics aren't clear, but the directive has gained the approval of POGO, which released a "thumbs up" statement of its own lauding Abraham's decision.

Mary Jander, Site Editor, Byte and Switch