Report berates DOE lab security

A report issued last week by a special panel of senior intelligence and security officials on what some experts are calling the worst case of espionage in U.S. history has increased the scrutiny of government computer security programs and policies and has caused many to question the government's commitment to information assurance.

The report comes just three months after President Clinton ordered a comprehensive review of security failures that allowed Chinese spies to steal an unknown amount of the United States' most sensitive nuclear weapons secrets from Energy Department research laboratories. The report concluded that midlevel managers throughout DOE have responded to the recent Chinese spy scandal with a "business as usual" attitude, while foreign nationals residing in "sensitive countries" continue to have unmonitored remote dial-up access to lab networks. The report was conducted by the President's Foreign Intelligence Advisory Board (PFIAB), which was led by former Sen. Warren Rudman, once chairman of the Senate Select Committee on Intelligence.

Until just a few weeks before the report was made public, panel members said they were approached by government users and other officials who informed them of enduring gaps in computer and network security, leading the panel to conclude that the computer networks at the nation's five weapons laboratories still are "riddled with vulnerabilities."

The report, "Science at its Best, Security at its Worst," follows a similar study conducted under Reps. Christopher Cox (R-Calif.) and Norman Dicks (D-Wash.), who headed the House select committee that investigated the Chinese espionage case. Twenty- six of the report's recommendations, which focus on improving cybersecurity measures and export controls on high-performance computers, were attached to the Defense Department's fiscal 2000 authorization bill.

The Rudman report has caused a stir on Capitol Hill and throughout the intelligence and security communities by concluding that many holes remain in the nation's information systems security programs and that the problems may be more widespread than once thought.

For example, senior military officials in Europe told FCW that routine security audits recently have discovered physical connections between unclassified and classified computer networks. The connections were left in place because operators found it too difficult or inconvenient to transfer unclassified files from one system to the other using floppy disks or e-mail. In addition, it was also discovered that simple misspellings can cause information to inadvertently pass through network guards designed to monitor classified information.

Speaking at the GovTechNet International Conference and Exposition in Washington, D.C., last week, Rep. Tom Davis (R-Va.) said computer security "has not been given enough emphasis in this country" and that not enough research is being done to study future vulnerabilities.

Steven Aftergood, an intelligence and security expert with the Federation of American Scientists, said it appears that security policy throughout the government is prone to be reactive rather than proactive in nature. "Unfortunately, security is often failure-driven instead of threat-driven," Aftergood said. "Instead of anticipating problems, large bureaucracies tend to wait until something goes wrong before taking action."

Allen Thomson, a former CIA analyst and a frequent contributor to FAS studies, called the cybersecurity failures at the weapons labs "absolutely routine bureaucratic behavior such as I saw many, many times both while at the CIA and afterwards."

According to Thomson, it took the CIA about a year to remove highly classified documents from a general access document retrieval system after the classified documents started to show up inadvertently in the document queue. "So was it then, so is it now and so - apparently - shall it ever be," Thomson said.

The three-month study of DOE's computer security program uncovered recurring problems, including poor labeling and tracking of computer media, problems with lax password enforcement on laboratory computer workstations and a significant failure to control access to sensitive and classified networks.

Computer security methods throughout DOE over the past two decades have been "naive at best and dangerously irresponsible at worst," the report said. "Computer systems at some DOE facilities were so easy to access that even department analysts likened them to 'automatic teller machines,' [allowing] unauthorized withdrawals at our nation's expense."

A DOE spokeswoman said last week that the department had not finished reviewing the report and was not ready to provide a response to it.

Last Wednesday, DOE Secretary Bill Richardson named a retired Air Force general, Eugene Habiger, as director of a new Office of Security and Emergency Operations. This office, created last month, incorporates the staff of chief information officer John Gilligan and is responsible for computer security.

The spokeswoman said she could not provide any information about Habiger's plans for computer security because he has not yet taken office. He is expected to join DOE in early July. Meanwhile, DOE is asking Congress for $50 million to fund computer security improvements over the next two years.


  • Defense
    The U.S. Army Corps of Engineers and the National Geospatial-Intelligence Agency (NGA) reveal concept renderings for the Next NGA West (N2W) campus from the design-build team McCarthy HITT winning proposal. The entirety of the campus is anticipated to be operational in 2025.

    How NGA is tackling interoperability challenges

    Mark Munsell, the National Geospatial-Intelligence Agency’s CTO, talks about talent shortages and how the agency is working to get more unclassified data.

  • Veterans Affairs
    Veterans Affairs CIO Jim Gfrerer speaks at an Oct. 10 FCW event (Photo credit: Troy K. Schneider)

    VA's pivot to agile

    With 10 months on the job, Veterans Affairs CIO Jim Gfrerer is pushing his organization toward a culture of constant delivery.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.