Cyber Security Shortcomings at Nuclear Labs?

Inspector General says Department of Energy must improve computer security.

Dec. 22, 2009 — -- The Department of Energy, which is responsible for the nation's nuclear weapons and nuclear energy, may jeopardize the security of its technology and lose millions of dollars if it does not improve its cyber security, according to a recent Inspector General's report.

Delays by the DOE's Office of Science in enhancing cyber security and standardizing its computer protocols may leave the agency's sensitive information vulnerable, and cost taxpayers upwards of $3 million. DOE has been embarrassed by security lapses in the past, like Wen Ho Lee's illegal download of classified information at the Los Alamos nuclear lab, the use of unauthorized laptops at the Oak Ridge lab, and successful cyberattacks that may have orginated in China.

"Any system that is not as secure as it should be could be subject to compromise," said Rickey Hass, Deputy Inspector General for Audit Services. "There are literally thousands of people who scan systems to try to gain access."

The mission of the Office of Science is to conduct research in energy, biological, environmental and computational sciences. Science, as the office is known, is responsible for numerous nuclear facilities, including Los Alamos, Lawrence Livermore and Oak Ridge. Science spent $287 million of its $4 billon 2008 budget to manage its IT program.

In a late November report that reviewed those expenditures, the Inspector General's office expressed concern that Science's seven field offices still don't have strict enough security configurations on their information systems. Science is expected to follow federal guidelines designed by the National Institute of Standards and Technology (NIST). The NIST guidelines affect passwords, encryption settings and login controls.

Several of Science's sites, including Oak Ridge, have developed security configurations outside of NIST standards.

"Participation in the program is made to help minimize intrusion risks," said Hass. "This is a federal requirement and we're bound to it for compliance with the standards."

In a written response to the IG report, a spokesperson insisted Science was committed to cyber security and willing to implement the NIST standards "as appropriate."

Security Breaches at Nuclear Labs

Past DOE scandals point up the importance of computer security. In 2000, Wen Ho Lee, then a scientist at Los Alamos, pleaded guilty to a felony charge of improperly downloading restricted data from the laboratory's classified network. He transferred data about nuclear weapons design onto tapes.

Lee had been suspected of stealing nuclear secrets so he could pass them to China or some other country, but was exonerated and later won a settlement from the government and multiple media organizations.

In 2007, hackers attacked some of the DOE nuclear labs with email phishing attacks. The Lawrence Livermore lab thwarted the attacks, but the phishers may have succeeded in extracting personal information on lab visitors, including Social Security numbers, from Oak Ridge. Authorities told ABC News the attack seemed to have originated in China. In 2008, ABC News reported on unauthorized laptops being brought in and out of Oak Ridge.

In addition to cyber security issues, the IG's report expressed concern for Science's hardware acquisition policies. The report says Science has failed to consistently enforce IT hardware standards for desktops, laptops and related peripherals, leading to higher costs.

"The average price paid for a desktop computer ranged from $1628 to $2814 at the five laboratories reviewed, a price variance of 73 percent," said the report. The report also noted that "the price paid for computer monitors that were the same or similar to one another ranged from $256 to $1236."

The IG's report indicates the bulk of the nearly $3.3 million in potential cost savings over three years could be achieved by reining in hardware acquisition costs.

In its response to the IG report, Science said it agrees with the recommendation to lower hardware acquisition costs and implement standards. However, Science officials said the IG's cost numbers do not offer an accurate portrayal. "[The report] does not provide analysis on the costs/benefits of the approach being used by each respective laboratory."

The report also disagrees with Science's decision not to establish a common computer infrastructure for employees at three major facilities, its Washington headquarters, Oak Ridge, and the Argonne lab outside Chicago. The IT infrastructures at these sites are decentralized and independent of the Department of Energy Common Operating Environment.

According to the report, "Although Science had the opportunity to consolidate its Federal IT environment to leverage potential cost savings, each of the three locations utilized a different contractor to manage support service such as helpdesk support, operated different IT infrastructures, and purchased hardware and software from different groups."

Science's cyber technology problems are being blamed on the agency's lack of strong enforcement of policies, its refusal to adopt NIST guidelines, and its need for a more rigorous process to monitor costs.

While Science agreed with many of the IG's findings, its written response insisted that Science establishes and enforces IT standards that meet the needs of each field office.

In its letter to the IG, Science said it continues to evaluate the IT costs for support and hardware and that it plans to address several of the issues in the report. The agency has a year to chart its progress after which time it could be subject to another re-evaluation.