— -- Federal investigators conducting covert surveillance and other secret operations successfully breached security at two secure U.S. government facilities in Maryland and Colorado, according to a new government report that one lawmaker today described as "disturbing, alarming."
One of the facilities breached contained a nuclear research reactor.
“Our covert vulnerability testing identified security vulnerabilities,” warns a report from the Government Accountability Office (GAO), which sent undercover agents to two campuses of the National Institute of Standards and Technology (NIST), an agency of the U.S. Commerce Department.
The report adds, “Specifically, GAO agents gained unauthorized access to various areas of both NIST campuses.”
Investigators sought access to the facilities 15 times and each time were successful, revealed House Committee on Science, Space, and Technology Chairman Lamar Smith, R-TX, whose panel held a hearing into the explosive report today.
“Lax physical security at NIST invites concerns about everything from petty vandalism and theft...to criminals or even terrorists stealing or releasing poisonous chemicals and other dangerous materials that are stored in NIST labs,” a committee aide told ABC News.
Seto Bagdoyan, GAO'S director of Audit Services, Forensic Audits & Investigative Service, told panel members that details of his agency's investigation could only be revealed in closed session.
NIST labs house a number of dangerous chemicals and radioactive material used for research and testing that could be deadly in the wrong hands.
The agency tests and sets standards for everything from radiation detectors used by the Department of Homeland Security, ballistic-resistant body armor used by police departments, to proper radiation and exposure levels for mammograms, and it has recently been tasked with researching and recommending ways for federal agencies to recover from any cyberattack.
GAO agents shot videos of their clandestine activity. Committee members and their staff were permitted to view the videos before the hearing, but the U.S. Commerce Department, under which NIST falls, asked the committee to treat the recorded material as “law enforcement sensitive,” which shields it from public view, and, for now, the committee is abiding by this request, according to the aide. Negotiations are ongoing to publish the material, the aide added.
"I have had an opportunity to watch the three videos a couple times now, and ... my reaction is: Disturbing, alarming, particularly when you think about the work that goes on at the NIST campuses...the sensitive work, the strategic work, the proprietary nature of what goes on at these facilities, much of what relates to national security," said Vice Chairman Darin LaHood, R-Illinois, of the panel's Oversight Subcommittee.
A Commerce Department spokesman tells ABC News, “The security breaches on the NIST campus have been of paramount concern to Secretary (Wilbur) Ross. He has been briefed on the GAO report and appreciates their frank assessment. Moving forward, the Secretary, along with the leadership at NIST, will ensure that the GAO recommendations are implemented.”
The committee aide said, “These risks threaten thousands of federal scientists and other federal workers, thousands of visitors with whom NIST works on a daily basis and the entire nearby communities.”
Serious security lapses not new
This is not the first security lapse at NIST, an agency that is home to the Atomic Clock and several Nobel Prize-winning scientists.
In 2015, a senior police lieutenant on the agency’s security force was convicted of attempting to manufacture methamphetamine in a NIST lab in Gaithersburg, Maryland, the same campus where GAO's current investigation focused. The lieutenant's failed effort resulted in an explosion that blew out windows and burned the officer.
A judge sentenced the man to more than three years in prison, according to court documents, referencing the popular TV series, “Breaking Bad,” in which a chemistry teacher decides to start making meth.
As Rep. Smith’s committee was investigating that 2015 breach, another incident occurred. An unauthorized individual wandered onto the Boulder, Colorado, campus into a sensitive area, according to a committee official.
NIST has seen some security improvements
But it’s not all bad news for NIST. Security has been improving since 2015, the GAO noted. The research agency has been working to educate its employees on the need for heightened security and have been conducting training sessions.
As part of its investigation, agents spoke to employees working in highly sensitive facilities, all of whom attend mandatory security training and “reported significantly fewer observations of colleagues not following NIST security policies,” the GAO report says.
But the report adds this ominous warning, “The remainder of NIST’s employees currently have no mandatory security training, and a higher percentage reported having observed a colleague not following NIST security policies.”
When asked by Rep. LaHood if the GAO is confident that another covert operation would fail, given some security measures enacted in the wake of a number of security problems, Bagdoyan demurred and said that NIST and the Commerce Department are taking "good first steps," but, he added, "We are probably playing a long game here in terms of getting thing done."
NIST Acting Director Kent Rochford readily agreed and said, "This is going to require a culture change," saying he would be meeting today with all managers and would soon provide "all hands-on staff" security summits and mandatory training for all NIST staff.