IT Jobs
Los Alamos nuclear lab loses more data
Weapons centre continues abysmal security record.
By Chris Mellor | Techworld
Published: 15:11 GMT, 07 August 07
The error-prone Los Alamos Nuclear Laboratory has inadvertently released highly classified nuclear weapons material again, this time by email.
This was followed by the theft of a Los Alamos laptop. Both occurred since last October when a crack dealer was found in possession of lab nuclear weapons data on a USB stick.
The Los Alamos National Laboratory is one of the USA's three nuclear weapons laboratories. It carries out sensitive national security missions, including helping to ensure that the US nuclear weapons stockpile is safe, secure and reliable. It has a history of bad classified data handling discipline and is managed by LANS, Los Alamos National Security.
Following the discovery of classified nuclear weapons data on a crack dealer's USB stick the lab operators were fined $3.3 million by the US Department of Energy. The lab then vowed to stop storing classified data on any removable media.
However, this did not extend to removable computers such as laptops. Over the May and June period a staff member of the lab took his laptop, containing "government documents of a sensitive nature” with him on vacation to Ireland, where it was stolen.
The lab then took an inventory of all its laptops and replaced many of them with non-portable desktop computers.
Jef Berger, a Los Alamos spokesperson, said: "information contained on the computer was of sufficiently low sensitivity that, had the employee followed proper laboratory procedure, he would have been authorised to take it to Ireland."
The employee did not follow proper procedure. Berger added that following the theft the lab is acting to narrowly restrict the use of lab laptops during foreign travel. The lab is also strengthening its employees' understanding of their responsibilities and lab procedures in such matters. He did not say why this had not taken place before.
Following the NewsWeek report Berger stated "After a rigorous review, computer forensics experts at the Lab determined with a very high level of confidence that the laptop stolen from a hotel room in Ireland did not contain any classified materials or any personally identifiable information. Nor were any national security interests jeopardised."
Email security breach
In January Harold P. Smith, a LANS board consultant and former Pentagon atomic weapons adviser, sent a message containing classified data to at least two other board members. He used the ordinary Internet instead of a secure Defense department network. The message was relayed to at least three more board members.
The incident has been described as comprising “the most serious breach of US national security,” and has been rated as Impact Measurement Index-1 (IMI-1), the most serious level of security violation.
Following this some LANS board members have now received security sensitivity training. Again, it is not known why they had not received such training before.
Danielle Brian, executive director of the Project on Government Oversight (POGO), said: "How can we expect Los Alamos, which has thousands of employees, to clean up its abysmal ongoing record of serious security breaches when members of its own board can't even keep track of their classified communications with each other?"
POGO is an independent non-profit organisation that investigates and exposes corruption and other misconduct in order to achieve a more accountable federal government.
POGO senior investigator Peter Stockton said the operator "has been fined, lab officials have been fired, and the lab was even closed for a number of months so that it could get its act together. It’s clear that it just can’t.” It has a history of security breaches going seven years.
Los Alamos lab's security policy seems to consist of applying quick-fix security sticking plaster after each breach with no top-down, root-and-branch review of data security. The history of its secure data handling policy is one of serial breaches and frantic catch-up efforts.
Add your commentComments
OhGoodGrief | Published: 22:05 GMT, 07 August 2007
I agree that a facility doing national security research should be held to a high standard, as indeed it is (apparently a higher standard than any of the OTHER related facilities, in fact) but to quote a LANL-issued statement on the most recent internal e-mail event, "It does appear that an individual inadvertently released sensitive information into the Lab's protected, or "yellow" network, it was quickly caught, quickly removed and there is no suspicion or evidence that any National Security interests were damaged. There is no evidence that the information ever left the laboratory's protected network. To characterize this as another "breach" of security is misleading at best."
NotAsHarmlessAsYouThink | Published: 19:46 GMT, 07 August 2007
The email went out over the internet (it's a series of tubes, you see), NOT a private network, and was purged off of one University of California server. Since these "tubes" sometimes get clogged, the message may have used other tubes and might be stored somewhere along the way. Maybe some readers need some heavier shoes to keep their knees from jerking up so rapidly to defend our perfect union. I, for one, find your stats upsetting rather than comforting. Maybe other departments lose hardware, too, but is the data encrypted? did they follow their procedures to mitigate the risk of loss? How about if we hold some departments to a higher standard than others. This might be a good department to start with. Then we can move on to fixing the other ones. We agree on one point though. TechWorld should report on all of the hardware going out the doors of our sensitive environments. I don't think they should bury this story just because other people lose stuff too, though.
OhGoodGrief | Published: 18:28 GMT, 07 August 2007
So, it appears that every lost pencil and irrelevant laptop is worthy of hysterics here. . . Can you name another 12,000-employee institution that NEVER, EVER has a laptop stolen? Let's see, the Dep't of State has lost HUNDREDS, and Dep't of Defense apparently doesn't even keep track, they go so fast. Note, it was not a classified machine, and had no personnel data, so why the big deal? And the most recent news flurry, over an errant INTERNAL e-mail, was on an internal network only, no outside access. Seems like TechWorld needs to reexamine its motives and its level of reporting rigor just a bit.