DOE office reviews, tightens security

The Energy Department, which suffered some of the most damaging computer security breaches in government, has begun to tighten security through a newly established office, according to government auditors and DOE security experts.

Last month, the Office of Independent Oversight and Performance Assurance released its first reviews of the national nuclear weapons laboratories. The Los Alamos National Laboratory improved its security posture to "satisfactory," the highest rating under the office's three-tier system, while Lawrence Livermore and Sandia laboratories were rated as "marginal."

The ratings indicate that security at the labs has improved, and they mark a return to the department's practice of reviewing facilities instead of just "profiling" them, said evaluators from the General Accounting Office.

The profiles were a "status check rather than a rating," said Ken Lightner, a GAO evaluator who has been following DOE oversight and security operations. "What we've seen since April...is they're back doing inspections again."

DOE created the Office of Independent Oversight and Performance Assurance in May as part of a new departmentwide security strategy created in response to computer security holes that led to China's alleged theft of U.S. nuclear secrets The office performs three functions:

It reviews the safeguards and security at all of the Energy facilities.

It performs real-time cybersecurity reviews, including continual vulnerability and intrusion scanning.

The most important changes have been made in the new position the oversight office has within DOE, an arrangement that allows the office to work with program people to solve security problems, a senior department official said.

"Part of the problem with this department is that we have too many people looking for problems and not enough fixing them," the official said. "We feel like we are making a difference in the department now."

The office's independent position within DOE has been questioned in the past, but because the office's managers report to only Energy Secretary Bill Richardson, with occasional briefings to Congress, office officials feel they are responsible to no program within the department. GAO agrees that it is possible for a group to be independent, even though it is still inside an organization.

"It is theoretically possible to have independent oversight within an organization, as long as that entity is insulated from policy concerns," said William Fenzel, a GAO evaluator. "But it's also helpful to have the external oversight...and Energy has not been lacking that in the past six months."

The oversight office works with chief information officer John Gilligan; the department's new "security czar," Eugene Habiger; and counterintelligence director Edward Curran, the department official said. There are weekly meetings to talk about issues, status, problems and successes, but the policy groups run the meetings and only call on the information and knowledge of the oversight office, he said.

In addition, the attitude of the office toward the facilities being reviewed has changed in a way that can only benefit the department, the official said. "We try not to be like neo-Nazis and just embarrass everyone," he said. "We try to come in and find out how we can help people."

The office plans to help improve security by returning to each facility to check if each item mentioned in the reviews are fixed, rather than showing up months later and finding that nothing has been done, he said.

Featured

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected