[ISN] DOE secretary scolds lab on security issues

From: InfoSec News (alerts@private)
Date: Wed Nov 29 2006 - 22:56:46 PST


http://www.lamonitor.com/articles/2006/11/29/headline_news/news01.txt

By ROGER SNODGRASS
Monitor Assistant Editor
November 30, 2006

A special inquiry into the most recent security breach at Los Alamos 
National Laboratory has uncovered "significant deficiencies and 
vulnerabilities that need to be addressed," said Energy Secretary Samuel 
Bodman in a statement Tuesday.

On Oct. 17, police investigators found classified material in the Los 
Alamos mobile home of a former employee of a laboratory contractor. 
During a follow-up search images of apparently classified documents were 
found on a jump drive and several hundred hardcopy pages of laboratory 
documents with classified markings were recovered, according to the 
results of the special inquiry.

The case is in the hands of the Federal Bureau of Investigation, but 
Bodman also requested the department's Inspector General, Gregory H. 
Friedman, to conduct a special inquiry last month.

The results, Bodman said, contain information that cannot be disclosed 
to the public. But because of public interest, in the matter, he decided 
to release the cover letter from the IG's report.

Friedman's overview bulleted three flaws he considered serious:

* In a number of key areas, security policy was non-existent, applied 
  inconsistently or not followed;

* Critical cyber security internal controls and safeguards were not 
  functioning as intended; and

* Monitoring by both laboratory and federal officials was inadequate.

"Regardless of the outcome of the FBI investigations, just the 
unauthorized removal of the classified material from the lab marks a 
significant breach of security protocol and of the public trust," Bodman 
wrote. We cannot correct the errors of the past. But we can learn from 
this incident and we will do better."

LANL Director Michael Anastasio released memorandum he sent to all 
employees Tuesday, with an update an actions that have been taken in the 
response to the security breach.

That response has so far included a presentation of a list of short-term 
improvements and establishment of a security action team headed by 
Principal Associate Director for Operations Jan Van Prooyen.

Anastasio recounted the immediate efforts, including a list of reviews, 
restrictions and engineered controls in the classified computer area. 
Another layer of security has been added, Anastasio indicated, including 
a pause in all scanning of classified documents, an enhanced procedure 
for physical searches and more random searches - now averaging 100 a 
day.

The laboratory has brought in cyber-security experts from the partner 
companies of the management entitity, Los Alamos National Security, LLC, 
and their recommendations will be reviewed and incorporated into a new 
set of policies and procedures.

Since the current breach apparently caught the laboratory inadequately 
prepared to deal with new memory devices like memory sticks and iPods 
and easy transfer devices like flash drives, the managers have also 
chartered a Red Team of experts to provide technical advice for avoiding 
the next generation of security risks.

A spokesman for the secretary said that policy related to security 
liabilities by laboratory contractors is being assessed. DOE's Craig 
Stevens said the secretary expected results.

"We recognize this is a new contractor that has only been on the job a 
couple of months. We didn't expect all the problems to suddenly go 
away," he said.

"The secretary has laid it at the feet of the laboratory to get the lab 
fixed," he said, adding that more would be expected than "wringing of 
hands and paperwork and setting of policy."

Sen. Pete Domenici, who chairs the Senate Energy and Water Committee, 
responded to the announcement with a prepared statement this morning.

"I will review this classified report and will work to ensure the lab 
and Energy Department implement previously proposed reforms that have 
yet to be fully implemented, as well as immediately act to execute the 
new procedures and practices identified by the IG," he said. "I believe 
Secretary Bodman and Lab Director Mike Anastasio take these matters 
seriously and will work to put these recommended reforms in place."

Bodman's announcement said he has directed the department's Chief 
Information Officer Tom Pyke to follow up as appropriate on the IG 
report in upgrading the department's cyber security policies and 
procedures.

As was the case, during the false security breach that shut the 
laboratory down for several months starting in July 2004, the department 
will take the opportunity to assess the policies and procedures 
"complex-wide" - in this case, for "issuing and maintaining personnel 
security clearances."


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Wed Nov 29 2006 - 23:10:00 PST