Los Alamos We Hardly New You…But the GAO Fixed That
Well it is Friday night and I was not going to write anything or post anything for at least 24 hours; I promised myself. I like me and think it is poor form to break promises to me. That was before I read this article.
Upon initial read, I found myself floating quietly in low earth orbit enjoying a panoramic view of the Earth as my oxygen levels 
depleted slowly. Then came the descent. Hurtling towards the Earth at speeds not intended for man, I again found myself reading this article debating whether another trip in low earth orbit was in the cards. Thankfully, cooler heads prevailed and I am here, writing this blog entry.
This is colossally embarrassing and scary for a number of different reasons, many of which you may imagine, relate directly to the business which goes on at Los Alamos. I am a huge fan of the GAO because they get it; they tell it like it is good, bad, and often ugly. It is a quality I find endearing and necessary. Now, Los Alamos National Laboratory is not unique in that they have suffered breaches, several in fact, in recent years. They are, in my opinion, less unique than most would like to believe or dreamt was possible.
What is disturbing is the factual nature of the findings. The GAO writes great auditor friendly reports; they remind me of Sgt.Friday from Dragnet “Just the facts ma’am”. I am aghast, and quite honestly shocked that despite all that has occurred and that we know of (and are permitted to discuss in non-classified environments), that they found “”significant weaknesses … in protecting the confidentiality, integrity, and availability of information stored on and transmitted over its classified computer network…”, on the Los Alamos Laboratories Network. Significant weaknesses at a laboratory whose primary focus is national defense and security. They say so right here on their website, and in fact this is what they say right here:
“Los Alamos National Laboratory is a premier national security research institution, delivering scientific and engineering solutions for the nation’s most crucial and complex problems. Our primary responsibility is ensuring the safety, security, and reliability of the nation’s nuclear deterrent.”
The assessment demonstrated that the lab has vulnerabilities in several “critical” areas some of which include deficiencies in identifying and authenticating users, authorizing user access, encrypting classified information and maintain secure software configurations…how is that possible? As luck would have it, the GAO reports tells us just how it is possible and get this: No amount of ‘Cloud’ or ‘PCI’ Voodoo could achieve what is required of the solution! (ready the ominous risk management music):
“A key reason for the information security weaknesses GAO identified was that the laboratory had not fully implemented an information security program to ensure that controls were effectively established and maintained..”
Heaven help us. The lab reportedly has not conducted a comprehensive risk assessment (well there goes my decision to not have a beer tonight) to date, nor has it achieved a proper state of data classification. What does that mean data classification? Well means that they have not marked the classification level of information stored on its classified network (a very serious problem in environments where one ought never to commingle classified and non-classified data). Additionally, as if all this was not enough, they have failed to implement adequate training for their users with security responsibilities…, which in my humble opinion means ALL USERS! The labs have “lost” assets due to theft, since January of this year approximately 67 computers have simply vanished…again in a secure environment I ask you…how is that possible? Over the last several years, they have experienced other breaches and losses, which resulted in fines for the lab, most notably the one incurred as the result of a contract worker illegally downloading and removing hundreds of pages of data from the lab via USB thumb drives…yes, bar tender, I will have another one. Additionally, the lab has taken flack in the past for not leveraging cryptographically sound email to share highly classified information.
According to the folks who broke this story @ PC World; a representative for the lab said in general they agreed with the report citing that the lab has made progress in its cyber-security efforts. According to Michael Kane, associate administrator for the NNSA, in a letter to the GAO the lab has addressed a number of key technical issues and is actively implementing policy to address the concerns brought to their attention via the report.
Comments
Leave a Reply
uberVU - social comments on 11.18.2009
Social comments and analytics for this post…
This post was mentioned on Twitter by CassandraSec: New Blog Post: Los Alamos We Hardly New You…But the GAO Fixed That http://cassandrasecurity.com/?p=681...
Ken Beames on 11.18.2009
From the GAO report “Furthermore, the laboratory’s decentralized approach to information security program management has led to inconsistent implementation of policy, and although the laboratory has taken steps to address management weakness, its efforts may be limited because LANL has not demonstrated a consistent capacity to sustain security improvements over the long term.”
OK, so, LANL started in 1943 and they have not YET seemed to demonstrate a consistent capacity to sustain security improvements over the long term?!?!
Well, in my job, if I can’t demonstrate a consistent capacity, the boss usually takes some corrective action.
Over the last 66 years LANL couldn’t manage this task. OK, it’s fairly complex, but the security concepts haven’t significantly changed since way back then.
66 YEARS!!! I’m, … I just, … It’s,… I am just dumbfounded.
What further boggles me is that LANL OUTSOURCED the security operations to a consortium of organizations under a newly formed LLC (in 2005) one of those organizations is the University of California.
Dude, who’s running this show?
Thanks for driving me to dig a fallout shelter under my house. Just what I wanted to spend my money and time on these days.
-Ken.
Will Gragido on 11.24.2009
Hey Ken!
Yeah this is pretty chilling stuff. I’m not sure what is more disturbing — that security there is for better or worse non-existent, or that people are still not talking about this nearly as much as they are about the 60 Minutes special (disturbing however for different reasons). I am personally horrified by the prospect that the environment set up to lead our nuclear deterrent program is so weakly protected. Here is a challenge / offer to the folks at the DOE and the Industry: If I could assemble the team would they allow experienced information security researchers & risk managers to assess and report for either a discounted rate or gratis? I think it’s important enough to consider. Were I @ the DOE I’d be considering it…I’d also be looking to fire someone for this dereliction of duty.
To your point, it’s been around for 57 years and they are still struggling to get security right? In that environment? They ought to be ashamed.