Cybersecurity holes persist at DOE labs, study finds

Despite what may be the worst spy case in U.S. history involving nuclear weapon design data, the computer networks at the nation's five weapons laboratories continue to be "riddled with vulnerabilities," according to a report by a special investigative panel of intelligence and security officials.

According to the report, "Science at its Best, Security at its Worst," issued this month by the President's Foreign Intelligence Advisory Board, midlevel managers throughout the Energy Department have responded to the recent Chinese spy scandal with a "business as usual" attitude, while foreign nationals residing in "sensitive countries" continue to have unmonitored remote dial-up access to lab networks.

The three-month study uncovered recurring problems with DOE's computer security program, including poor labeling and tracking of computer media, problems with lax password enforcement on laboratory computer workstations and a significant failure to control access to sensitive and classified networks.

Computer security methods throughout DOE over the last two decades have been "naive at best and dangerously irresponsible at worst," the report said. In fact, "computer systems at some DOE facilities were so easy to access that even department analysts likened them to 'automatic teller machines,' [allowing] unauthorized withdrawals at our nation's expense," the report said.

Security audits also uncovered what the report calls "remarkable" lapses in addressing security problems and procedural gaps at many DOE labs. According to the report, it took DOE 31 months to write and approve a network security plan, 24 months to order security labels for mislabeled software, 20 months to ensure that improperly stored classified computer media had been safeguarded and 51 months to properly safeguard cryptographic material used to secure telephones. It even took 11 months to remove a deceased employee from classified document access lists, according to the report.

The report also outlined instances of classified information being placed on unclassified networks well after the department had developed a corrective action plan in July 1998. "The predominant attitude toward security and counterintelligence among many DOE and lab managers has ranged from half-hearted, grudging accommodation to smug disregard," the report concluded.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.