Weaknesses in Classified Information Security Controls at DOE's Nuclear Weapon Laboratories.
Subcommittee on Oversight & Investigations
Committee on Commerce
U.S. House of Representatives
July 11, 2000
Prepared Statement of Dr. John C. Browne
Los Alamos National Laboratory
Mail Stop A 100
Los Alamos, New Mexico 87545
Panel 2, Witness 3
Mr. Chairman and members, thank you for the opportunity to discuss the security environment within which the Laboratory operated when the recent serious security incident occurred. When I first heard about this incident my reaction was probably the same as yours--how could this happen at Los Alamos after all the events of last year? I am angry and frustrated. The fact that the hard drives with classified information were found on June 16 by one of our people does not diminish accountability or responsibility to address the root causes.
We made many significant improvements to security in the last year, with a strong emphasis on cyber security. We enhanced our security awareness training for our employees and subcontractors. Nevertheless, this incident still occurred at our Laboratory, leaving us to ask what more needs to be done.
Although there are no excuses for this incident, there may be some contributing factors. The issues I have identified so far involve the adequacy of required DOE and Laboratory security procedures, human reliability in following procedures, and the oversight and acceptance of responsibility for security in special programs.
I have these key messages to emphasize today:
· We are accountable. Corrective actions have been taken; more are underway; disciplinary actions will be taken, subject to the immediate requirements of the ongoing criminal investigation.
· There is a need to return to more formal accountability for handling of Secret Restricted Data materials. Increased accountability will enhance the sense of personal responsibility, and reduce the opportunity for and consequences from human error.
· Human reliability programs need to be evaluated to ensure that people with access to the most sensitive information are included and that the program is effective.
· Outstanding science is essential to achieve our mission--we will fail without it--but it is not sufficient. Indifference or carelessness toward security, regardless of an individual's or an organization's accomplishments, will not be allowed to compromise our nation's interests. The National Nuclear Security Administration has a major challenge to reinforce the security culture while retaining science at its best in the National Laboratories, and they should be given the opportunity to do so.
Science and Security
Criticism of the National Laboratories recently has taken the form that security is in direct conflict with an elite scientific culture because security emphasizes keeping information from people while science flourishes in an open environment.
I reject the notion that science and security are incompatible. The tension that exists between the characteristics of security and science has been and can continue to be managed effectively. The most sensitive information in our custody--information about the design and operation of our country's nuclear arsenal--has been developed by the very scientists who are responsible for assuring that it is securely managed. More than any others, these scientists understand the information entrusted to them and appreciate the risks involved should it end up in the wrong hands. They have devoted their careers to public service in the national interest. They have demonstrated since the early days of the nuclear weapons program their ability to accomplish outstanding science and to simultaneously satisfy the requirements of effective security.
For over 50 years, our nation has been well served by the relationship between the University of California and the Department of Energy and its predecessor agencies. It is one of the longest lasting and most productive partnerships between a state entity and the federal government in our history. The University has provided an outstanding workforce to help the government solve some of its most challenging national defense problems. The challenge today and in the coming decade to ensure the safety and reliability of the US nuclear deterrent without nuclear testing is as great as any faced in our history. The University's role is as important now as ever.
Security management is a responsibility assigned to the Laboratory by the DOE through the management and oversight contract with the University of California. I would like to emphasize that as Laboratory Director, I am an officer of the University of California. In that role I represent the University and carry out the responsibilities assigned to it. I take that responsibility very seriously. The DOE sets the security rules within which we work. DOE evaluates our security performance through a series of programmatic and independent audits. DOE provides the financial resources to implement the security systems that are required. If resources do not match requirements, DOE sets the priorities.
The University's obligations in all aspects of contract performance were made more explicit in the performance-based contract starting in October of 1993. This arrangement, which became a federal norm in that time frame, was to have clearly defined the contractor's accountability by establishing quantitative performance goals. However, in the last implementation of this process to the security function, the previously agreed-to criteria were dropped and our performance was judged solely by the outcome of the final 1999 DOE "go green" audit. This left our evaluation dependent on the auditors' criteria rather than a set of pre-established performance standards and metrics covering the major areas of security.
The University has greatly enhanced its ability to provide oversight by adding a dedicated laboratory management office in 1993 that provides an interface with the DOE on contractual issues. The UC Board of Regents has had a standing Laboratory Oversight Committee that regularly interacts with the Laboratory directors. The University of California President also has a Committee on the National Laboratories that is composed of individuals who previously served in senior positions in industry, government and academia. Recently the University of California Office of the President (UCOP) appointed a security advisory panel chaired by Adm. Tom Brooks and hired a former military security officer as UC security director for contractor oversight on these matters. The UCOP and Admiral Brooks have assembled an outstanding panel of security experts that has begun to evaluate security practices across a broad spectrum at the two UC weapons labs. This panel has not been in existence long enough to have an impact on our security performance. Committees and offices by themselves do not ensure security, but they do demonstrate the University's commitment to improvements in this area.
The Department of Energy announced on June 30 that it will begin working with the University of California to explore ways in which security expertise can be brought into the UC and the Laboratory to achieve improvements in security. UC and the Lab welcome the study and will fully cooperate with the Department. Although the UC contract might be restructured to provide external security expertise, the day-to-day responsibility for handling classified information will still rest on the shoulders of the scientists and engineers at the Laboratory. There are important lessons from our recent improvements in safety. Safety and security are line responsibilities. Additional expertise from outside can be very helpful, but it must reinforce line responsibility. This is where the day-to-day work occurs.
Security De-Emphasis From 1990-98
To understand the current situation in security it helps to review the changes that have occurred in the nuclear weapons program over the last 10-12 years.
After the end of the Cold War, the budgets for the nuclear weapons laboratories dropped rapidly. There was considerable pressure from the DOE and the Congress to reduce overhead costs, and this included security. Security funding dropped to a new low, especially for physical security.
Policies changed as well as funding. Individual accountability for classified documents was done away with as a cost saving measure across the government. Secret Restricted Data document accountability was dropped as federal policy in 1992 and by 1993 after some debate Los Alamos ended this practice. In 1997, Top Secret Restricted Data document accountability was dropped as a federal requirement by DOE and other agencies. For Top Secret material and Sigma 14 and 15 weapons data we have continued to require more accountability and control than has been required by DOE.
There were other changes as well. Significant amounts of information were declassified. The name of the DOE Office of Classification was changed to the Office of Declassification. A policy of openness was promoted that aimed to make more information available to the public, especially information related to the safety and environmental impacts of nuclear activities.
A significant change of practices was instituted in the 1994-95 time frame when we were instructed to reduce the number of Q-cleared personnel (Top Secret) by downgrading many of our employees' clearances to L (Secret). The result was many more people with lower level clearance in our secure work areas. Not long after that, distinctive colors for Q-cleared versus L-cleared badges were dropped, which made the identification of the security access of individuals much more difficult. While none of the above changes can be shown to have a direct bearing on the hard-drive incident, they were part of the atmosphere that was created after the end of the cold war.
A few years after these budget reductions and policy changes occurred, we began having difficulty earning satisfactory ratings in security reviews and audits by the DOE. In addition, information technology was expanding at an incredible rate. Reinvestment in security began to occur, but too slowly to address the new environment.
I faced this condition when I became Director of Los Alamos in November of 1997. I began to increase our overhead funding of security to make the changes mentioned elsewhere in this testimony. We have made significant progress. We still have further progress that needs to be made, and we are dedicated to doing that.
Security Enhancements Since 1998
In early 1998, I provided greater emphasis on security and environment, safety, and health by creating a Deputy Laboratory Director position that would concentrate on operations, including security and safety. Previously, a single deputy director had oversight of all operational, business, and outreach functions. In April 1998 I formed a separate Security Division, reporting to my operations deputy, with a former Air Force security officer specializing in nuclear security at the head. Consequently, a greatly improved Site Safeguards and Security Plan was developed and approved by DOE - our first since 1994. In a similar manner, I created a new Counter-Intelligence office, headed by a former FBI CI expert and reporting to the operations deputy but with full access to me.
In response to last year's criticism of cyber security at the defense national laboratories (Los Alamos, Livermore, and Sandia), these laboratories and DOE developed a Tri- Lab Information Security Plan in April 1999. The Laboratory is implementing this plan, and to ensure continued coordination of these improvement efforts, I formed a senior Information Security (INFOSEC) Policy Board, headed by my principal deputy. In addition, a formal technical program was created to lead our technical efforts to identify and develop solutions to present and projected computer security challenges. This program interacts directly with the INFOSEC Policy Board to ensure tight communications regarding Laboratory objectives, priorities, and oversight. The Security and Safeguards (S) Division is represented on the INFOSEC Policy Board to ensure compliance with the security regulations and guidance issued by DOE Safeguards and Security organizations.
Cyber security upgrades in the past year include
· Strict site and cyber access for foreign nationals.
· Network separation with firewalls between Laboratory unclassified administrative computing and public information computers--an additional layering beyond complete isolation of the classified computing network completed six years ago.
· Eliminated except in very special cases authorized use of any computer for both classified and unclassified computing (dual-use computers eliminated).
Actions After The Hard-Drive Incident
As soon as the hard-drive incident was reported to me on June 1, I initiated all actions that were required, prudent to limit further damage, or appropriate to facilitate further inquiry. Those actions include temporarily eliminating SRD access for members of the NEST team who had unescorted access to the vault in question until we had a better understanding of the FBI investigation.
Some of the actions taken in June have become continuing policy, such as:
· Logging of all vault entries and exits, with positive identification.
· Reduced access lists for vaults and Limited Access Control Areas (LACAs).
· Placed barcodes on all portable high-density computer storage media with Secret Restricted Data (SRD: secret nuclear weapons data) to facilitate inventory.
· Initiated a review of all nuclear weapons programs to ensure that they have security plans consistent with DOE and Laboratory policy.
These activities addressed immediate concerns, but we recognize that more may be required. We are working with the DOE to identify and implement additional measures that address root causes.
Last year I established a Lab-wide goal of "Zero Safeguards and Security Violations." Upgrades in personnel practices to ensure suitability of staff for critical national security jobs includes intensified security awareness training, enforced by automatic rejection of personnel at entry badge readers if their training is overdue, and implementation of the DOE's counterintelligence polygraph program.
To reinforce the message of low tolerance for serious violations, strong sanctions are being taken by line managers for serious or deliberate security infractions. Since I have become Director, I have found it necessary to terminate 3 employees and suspend 4 others for serious security infractions and violations. For lesser infractions, sanctions such as salary reductions and reassignment to less responsible jobs have been applied. I have also empowered my managers to pull the Laboratory badges of non-UC subcontractor workers in their organizations who had the privilege of site access but failed to follow our procedures. This action also has been taken a number of times recently for visitors who did not comply with security procedures. After the investigations are complete in the hard-drive incident, appropriate personnel actions will be taken. It is not fair to our thousands of conscientious employees to tolerate the deliberate, careless or indifferent acts of a few individuals.
The quality of the Laboratory's security program is monitored through regular self-assessments and DOE evaluations. UC had also added detailed oversight through its new security office and panel that reports to the UC President's Council.
In the last few years we have made substantial investments to provide a stronger security environment. The improved status of our whole security posture was validated by the DOE's Office of Independent Oversight and Performance Assurance (OIOPA) at the end of 1999 with a rating of "Satisfactory," the highest of their three rating levels, following a year of preliminary visits and final audits. The GAO followup report, "Improvements Needed in DOE's Safeguards and Security Oversight" (February 2000) primarily addressed needed integration of oversight findings and followup records in DOE's methods. In this regard, the GAO report also calls out as a noteworthy practice that Los Alamos maintains its own database with "virtually every known security problem at the laboratory" as a method to track findings and corrective actions--although improvements were recommended in root cause and risk/benefit analyses.
The DOE Inspector General investigated security inspection ratings at Los Alamos for 1998 and 1999 and in May wrote the Summary Report on Inspection of Allegations Relating to the Albuquerque Operations Office Security Survey Process and the Security Operations' Self Assessment at Los Alamos National Laboratory. Most of the report is related to DOE ALO. I will not comment on those findings.
The portion of the IG report dealing with LANL self-assessments in 1998 and 1999 alleges that
a) all self-assessments were not completed by LANL as required; and
b) ratings on some self-assessments were manipulated by LANL management to make the Lab look better than the facts would have indicated.
Self-assessments are a valuable internal tool to senior management because they allow us to determine where we need improvements. The DOE OIOPA audit reviewed our self-assessment function after the IG visit to LANL and found that the LANL self-assessment program was operating and communicating the results to management effectively. Manipulating self-assessments as alleged would be counterproductive to our goals of having an effective security. Self assessment findings have no direct impact on DOE's annual evaluation of our security performance.
If the DOE IG will share more information on those allegations with me, I will investigate further. It is correct that we did not complete as many self-assessments as we had planned. We went beyond the DOE requirement for self-assessments and set a "stretch goal" that we missed. However, I would like to point out the Laboratory's security program was reviewed 16 times in 1999 alone. The DOE-IG report is the only audit for which we objected to the findings, and our objections were only because the findings could not be validated.
Current Regulatory System
The regulatory system for security, like safety, is complex and multilayered. At the top level public laws provide general principles and objectives. Next, the DOE has established a layer of rules in the Code of Federal Regulations and then has a layer of requirements in their Orders system. The Orders system has many thousands of pages of orders, manuals, and guides that are under constant revision. Requirements can be modified in real time by DOE direction.
One of the contract roles for the University of California is to help, with the DOE and the Labs, review regulations as they are developed and to maintain a list of applicable requirements.
Integrated Safeguards & Security Management (ISSM)
To deal with this complex environment we are taking the same approach to security that we took with safety. It is called Integrated Safeguards and Security Management (ISSM) and uses a simple five-step approach that every employee can understand. We are writing plain language "Laboratory Implementation Requirements" (LIRs) that capture all the government requirements in a form that allows the employees to understand what they must do in a given circumstance. Many requirements are common sense and we must continue to work toward a simple system that is easily understood but is difficult to circumvent.
Ultimately, security depends on individual performance. This is not unlike the individual's responsibility for safety. With the general security objectives in mind, the logic of the rules can be followed. Following the rules offers the worker protection when some failure occurs. More importantly, we have found that formality of operations encourages work habits that prevent failures.
To reinforce these expectations, I have directed all employees to participate in mandatory security awareness training, and review their security responsibilities with their next level of supervision.
We have the experience from implementing Integrated Safety Management (ISM) over the last three years that self-reporting is an important tool for performance improvement. Self-reporting is defeated in a climate of fear. We must maintain the support of the employees for self-reporting while carrying out our responsibilities for management oversight of the lab.
Over the last five years, we have averaged around 40 security "occurrences" per year. Most of these were self-reported and were administrative security infractions that had no or minimal impact on loss of control of information. Those that were serious were dealt with swiftly. It is important that we retain honest internal reporting and self-evaluation, if we are to improve our performance in security. I would be suspicious if only a few security occurrences or safety incidents were reported in an organization of 8,000 employees. Our goal of zero security violations can only be met by honest reporting and by addressing root causes.
Classified Material Protection and Control
Security implementation includes providing secure work and storage places for classified material, controlling the movement of that material, and qualifying personnel to ensure trustworthiness, and regular training.
The Laboratory has several layers of physical security, providing graded protection and defense in depth around classified materials. The outermost layer is the Laboratory site boundary, which encompasses DOE property. Inside this boundary, all persons are subject to DOE rules including following guard force directions. Vehicles and personal belongings are subject to search. A professional protective force with approximately 400 armed guards enforces these rules and site security.
The next layer is the security fence. Unescorted access to the Administration Building security area (which incorporates X-Division's principal work space) is through portals using a Q- or L-cleared (secret-national security information [NSI]) badge plus identification either by a guard from the badge photo or by means of the badge plus a hand-geometry biometric reader. About 8000 people have badge access to the Administration Building. Other Q-cleared buildings have similar measures.
X-Division's principal workspace is located within a Limited Access Control Area (LACA) inside the Administration Building. The LACA is an additional layer of security that we use to identify and authorize a group of people doing related work inside a more general security area. Unescorted LACA access, through another badge reader, was allowed to about 1300 Q-cleared people who required emergency access or who routinely work in or with X-Division, usually involving Secret Restricted Data--secret nuclear weapons data. (Once inside the LACA, personal recognition provides a strong deterrent to unauthorized access.) The access list for the LACA badge readers has been pruned to 600 people.
Another higher-level security environment can be provided by a Sensitive Compartmented Information Facility (SCIF). These areas can be multi-office work areas, like a LACA, but with more extensive access control features specified in federal standards. SCIFs are normally used for intelligence work or for Special Access Programs (SAPs).
The next layer of physical security in classified workspaces is provided by personal control or secure storage of the classified materials. When not in the possession of an authorized user, classified material must be in approved storage. Approved non-work-hours storage can be a safe in an office, a vault, or a vault-type room meeting standards specific to each kind of system, its security environment, and the classification level of the material inside. The DOE standards cover the storage device location, construction, and door locks. For a vault, a GSA-approved standard lock and intrusion detection alarms are required.
Los Alamos vaults have always been equipped with GSA approved locks and intrusion alarms that meet DOE standards. Until June, workday practices for control of classified material were met by various means allowed by the DOE requirements. For some vaults, including the vault in question, a number of Q-cleared persons were authorized for unescorted access. No entry logging process was required by DOE or the Laboratory or routinely in place when the vault was attended.
After the hard-drive incident, we immediately instituted a vault access-logging requirement that subsequently became DOE policy per Secretary Richardson's June 19 memo. We are now meeting that requirement for all of our 96 vaults on site.
Since 1994, we have had 19 DOE inspections that covered vault operations. These resulted in two findings. One finding is closed and the other, involving a technical issue regarding alarm testing, has a corrective action plan. Neither of these two findings addressed the issues surrounding this incident.
DOE is planning to review vault operations across the complex and establish upgraded standards on a very fast track. We have already reviewed the security practices at all 96 vaults at LANL. We welcome the DOE review.
Information security is provided by physical security as described above and by controlling the movement of the information. The rules for controlling computer media have evolved to be somewhat different than for hard copy on durable media such as paper and film because the expansion of digital storage capacity challenges the traditional concept of "document." Some hard drives in personal computers can hold more than the equivalent of a million pages of text. The increase in the amount of material that can be compromised and the speed with which it can be transmitted as digital capabilities increase is a government-wide problem that must be broadly addressed. Many of our cyber security improvements of the past year were aimed at this problem and we continue to deploy technology to address what may be the most volatile security issue we face.
In 1992 when SRD accountablility changes occurred, DOE was not prepared to give guidance for the secure handling of computer based information. The technology was changing so rapidly it was difficult for anyone to keep up. The computer technology moved faster than security technology or policy. We needed clearer overall guidance in order to follow priorities on expenditures. This all occurred in an environment when great pressure was being applied to reduce overhead accounts. In such an environment, it was essential that we follow DOE policy and expenditure guidance.
As said earlier, government-wide policy from 1992 ended the requirement to maintain an auditable inventory of Secret Restricted Data material. This is often referred to as the "end of accountability," but of course, everyone is still responsible for the classified documents in one's possession. The Laboratory follows DOE policy for accountability of SRD material.
Positive inventory control for all of the approximately 6 million classified items now in the Laboratory's possession raises the issue of cost vs. benefit that caused the downgrading of requirements eight years ago. We estimate that the effort to reinstate an inventory listing of all SRD items would be at least $60M. Maintenance of the accountability system plus periodic inventories would cost on the order of $25M per year.
An inventory system can help reinforce careful work habits as well as providing more positive document control. The cost and difficulties could be reduced by a graded implementation. For example, the first focus could be on inventorying portable high-density digital storage devices. We have now completed that task. Sigma categories can be used to prioritize items for inventory. Security and subject matter experts should be involved in detailing standards. It would be costly and ineffective for the Laboratory to attempt to create its own inventory system without DOE guidance. Any system must be DOE-wide to be effective. The magnitude of such an effort will raise issues of costs and benefits. DOE will need to establish priorities for resources.
Prior to this incident there was no government requirement to protect a compendium of secret information beyond the requirement that applies to the highest level of classification of any item in the compendium. This is regardless of the volume of information.
Immediately following the hard-drive incident, I directed that portable high-density digital storage devices with SRD must be put under inventory control. For this purpose, bar-coding on some 65,000 such devices is essentially complete. As announced in June, the DOE will institutionalize the inventory control requirement for selected compendia of secret information on high-density media. We strongly endorse the development of such a plan.
There is no formal DOE or Laboratory requirement associated with transfer of SRD ownership within a Q-cleared security area. In particular, the previous owner is not required to retain a record of change of ownership, so in a sense, everybody owns it--and therefore nobody does. The opportunity to lose track of ownership is high in multi-user vaults if there is no formal accountability. This may have been a contributing factor in the hard-drive incident. Prior to the 1992 changes, the originator of a document had to record any copies made, number the copies, and the tracking system retained a record of all copies and their owners. We recommend re-establishment of rules for tracking SRD (and higher) document ownership.
Transport of SRD outside of a security area requires physical security measures, but without inventory controls, there is no unique identifier to track removal, transport, and arrival of the item. Document accountability is important when documents are transferred between owners and transported outside of the security perimeter. Tracking document transfers and movements would be enabled by and should be part of a revitalized accountability system.
With modern technology, there is an opportunity to develop centralized electronic repositories with a high degree of security, tracking, and access control. This would, however, create a security vulnerability by concentrating information. Security measures would have to be very high for such a system, but may be the best approach for a cost-effective document control system.
The digital age has created new problems for information security and may also provide means to help that should be further considered. Encryption of classified information could be an important augmentation to other security measures. Secretary Richardson directed that encryption be utilized in protection of large quantities of SRD. A limited set of software encryption tools are available now, but are likely to improve rapidly in coming years. We plan to utilize these developments in concert with DOE.
In my opening comments I identified human reliability as one of my core concerns. This concern is widespread in security management. A recent DoD study(1) "Insider Threat Mitigation" identified maliciousness, disdain for security procedures, carelessness, and ignorance as four kinds of insider behavior that can generate security incidents. Our system attempts to minimize these behaviors by thorough selection, training, mentoring, and re-evaluation of personnel, but needs to be strengthened.
Access to various levels and kinds of classified material can be authorized to persons with corresponding clearance levels and need-to-know. Clearances are provided through the federal departments for their own personnel and contractors. Although periodic reinvestigations check external risk factors such as indebtedness for cleared personnel, it may be necessary to strengthen personnel requalification through a better human reliability program.
The 1995 DOE policy to make L (Secret) the default clearance level instead of Q (Top Secret) introduces many less-scrutinized people within our security perimeter. We recommend that only Q-cleared personnel have routine access within our security areas. This would require a much higher quota of new Q clearances.
Personnel develop sound security work habits through initial training, work experience in a supportive environment, and refresher training. This is the normal process at my Laboratory. I know these people and I know their work style. It is not an atmosphere of widespread disdain for security.
However, to ensure that current requirements are clearly understood, we conduct required periodic security retraining and hold occasional special events for security awareness. The basic retraining program has a number of elements and is largely computer-based on the Lab's internal web, to ensure currency and standardization. The retraining system is highly automated, including reminders emailed to the individuals and their administrative offices, and automatic rejection of personnel at security area badge readers if their training has lapsed.
We have conducted a number of special events for security awareness that consist of presentations by respected security experts and use of professionally-prepared training materials. This follows a pattern developed by Integrated Safety Management that has been well-accepted by the workforce. We had very good employee feedback from these sessions. I have directed that security awareness training be conducted this summer for all employees. This will be an occasion for presentation of the Integrated Safeguards and Security Management System to the whole workforce. Additional security training will be focused on areas of need; for example, last week we conducted a security immersion day for NEST.
I am particularly concerned about the apparent human failure involved in this incident. Losing or misplacing secret information is a serious matter but does not necessarily expose the individuals involved to severe disciplinary action if promptly reported. The rules are intended to accommodate a certain level of inadvertent security infractions through self-reporting. Through prompt reporting it can sometimes be established that the material was never left unprotected, and if not, then its movement can reconstructed and perhaps the material can be found. With prompt action the consequent damage to national security can be more effectively determined and limited. We will have to ensure that our security awareness training strongly re-emphasizes the reporting requirement to our employees.
DOE has several special personnel programs, such as the Personnel Security Assurance Program (PSAP) and the Performance Assurance Program (PAP), to assure fitness for particular duties. For example, personnel handling nuclear weapons are evaluated for psychological stability and drug abuse. It is important that an expanded human reliability program be wisely employed to help us determine if we have risks with people in our most sensitive programs. The DoD report cited above reaches a similar conclusion.
Access to Programs
There are rules specifying access privileges to information in various categories according to the clearances held by a person. Beyond a Q-clearance, which enables access with need-to-know (NTK) to SRD and Top Secret material, there are Special Access Programs (SAPs) and Sensitive Compartmented Information (SCI) access.
SCI information is often intelligence-related and compartmentalization helps protect sources and methods as well as highly sensitive information. Access to a SAP or SCI program can be granted only by a designated government program manager. Los Alamos works in many SAPs and SCI programs with the DOE and other federal sponsors. A DOE rulebook dictates the formal steps required for in these relationships to ensure that roles and responsibilities are documented.
There are a number of special programs (non-SAP, non-SCI) at Los Alamos into which line managers have had little or no access to ensure that Laboratory safety and security rules are met. Prior to this incident it was not clear to our line management and security people whether or not they had the necessary authority to accept responsibility for the detailed security procedures of these programs. By their very nature, sponsors try to limit the number of people who have access to such programs. It is important that the line management maintain oversight of the security and safety of all such activities with assistance from security experts.
The NEST program has been operated as a closely held need-to-know program but not a formal Special Access Program. Los Alamos has made a good faith effort to participate in this program as we understood the guidance of the program sponsors in DOE. Oversight of NEST by our Security Division was limited. Not all aspects of the NEST security plan were reviewed and approved by laboratory managers for compliance with DOE rules or for best security practices. Even if NEST was treated as a closely held need-to-know program, it was subject to DOE policy for handling SRD, and that policy was in place at the Laboratory. We have been asked by the FBI not to interview the current Los Alamos NEST team, so we cannot report on any security audits that the team may have conducted. I also do not have the results of any security audits of NEST that DOE may have conducted. However, our preliminary review of NEST operations prior to the FBI being engaged indicates to us that the program operated using normal SRD security measures, although additional factors may be uncovered by the present FBI or future investigations and could cause us to modify this judgment.
The vault where the X Division NEST toolkit was stored was subject to normal inspections by our Security Division. Since there was no accountable matter in the vault, inspections were related to physical security and spot-checks on document markings. Adequate equipment, procedures, training, and personnel qualifications were in place to enable secure handling of NEST items.
Execution of security oversight is less clear. Our discussions with DOE have revealed that some personnel at DOE did not have the same understanding as LANL personnel of how NEST program security was to be administered. Elimination of such misunderstanding is a mutual responsibility of the DOE and the Laboratory.
We believed in good faith that this program was indeed considered special in a very real sense, i.e., a "close-hold" program. There was a list of the people allowed access to the information. Deployment details were very closely held. We are addressing this issue with DOE and are working together to eliminate the ambiguity that we have discovered. In fact, the Deputy NNSA Administrator for Defense Programs sent me a letter on June 16 clarifying that we are responsible for the security of all programs unless directed to the contrary.
There are a number of other closely held need-to-know programs that have some of the characteristics of the NEST program. On the basis of the NNSA letter we are undertaking a comprehensive review of their security. I believe that NEST and other closely-held need-to-know programs should have a level of formality that includes, at a minimum, a security plan reviewed and approved by DOE and laboratory management delineating roles and responsibilities for security for all participants, strict accountability and tracking control for all SRD ( and higher) information and equipment, regular security/counter-intelligence training and certification, and regular audits.
Such measures would not necessarily have prevented the hard-drive incident , but would have made it easier to detect someone violating security.
Summary Of Current Activity
It is critically important for national security that our recent security incident be analyzed, the lessons learned, and corrective actions taken. At the local level, many changes already have been implemented and many are planned or under consideration. At the national level, actions are underway that provide an enhanced focus on security, especially for computer media. I will summarize recommendations and actions underway.
First, the National Nuclear Security Administration will provide a new setting for our nuclear weapons programs, including a strong focus on security management. It is important threat the NNSA and its new leader, Gen. John Gordon, be given the opportunity to create a new management team and processes that will ensure we accomplish our mission with effective security for these times.
I am also very pleased that the Administration has created the Hamilton-Baker panel to review the hard-drive incident. I believe that these two distinguished public servants will provide a thorough and thoughtful analysis and recommendations.
We are implementing upgrades to current security practices to address some of the underlying factors that may have contributed to the recent security incident. I have explained most of these in context above. In summary:
· Upgraded access control measures now in place include positive identification and logging of persons for vault entries by the vault custodian during work hours and through the central alarm system manned 24 hours per day by our guard force. In addition, if a vault custodian leaves his/her station, the vault must now be locked and alarmed. Entry to Limited Access Control Areas is also under review to improve controls.
· We are implementing inventory control of portable high-density data storage devices with Secret Restricted Data. Device bar-coding for this purpose is nearly complete.. Development of requirements are underway with the DOE for reinstating inventory control of SRD information
· We are also considering how to reduce the volume of secret information held in distributed storage, to facilitate inventory control, yet not lose the valuable information from the past.
· Encryption will be evaluated and incorporated as DOE guidance is received. This will preserve the secrecy of information regardless of control of the physical media.
· In our security awareness training, we will emphasize the importance of continuing self-reporting. We must ensure that our security practices do not discourage this.
· We are considering how to provide a graded approach to personnel evaluations according to their access to the most sensitive information. It may be necessary to include PSAP-like features in evaluating fitness for duty for some positions.
If we made all these significant improvements in security over the past year, why didn't it prevent the latest security incident? It appears that there are a number of contributing factors, none of which can be or should be used as an excuse.
Policies, procedures, and security systems are all necessary to make it difficult for someone to compromise our nation's secrets, but also to make it easier to detect someone who tries to do so. Such measures will not be able to wholly prevent inadvertent or intentional human error.
There are additional improvements we can make. We will follow DOE guidance when it is received. To initiate further changes without that guidance usually leads to backing up and starting over, which wastes scarce resources.
We have worked very hard and invested many resources in physical and cyber protection, but nonetheless we have suffered severely damaging incidents.
Many people have stated that security, due to its inherent desire to keep information closed, is totally incompatible with science, whose fundamental premise is openness. There is no doubt that there is a tension between these two objectives--but it has been managed at Los Alamos and elsewhere for many years. It requires great diligence and continual improvements to deal with changing situations. It must be managed because science is too important to the future of our nation's security. Science creates the ideas that strengthen our national defense. Science created the information on the hard drives. We look forward to the leadership of the NNSA to help us strengthen our security environment while preserving science at its best.
Although we incorporated all existing DOE policies in our requirements and had highly qualified workers involved, it appears a failure to execute required duties occurred, possibly from deliberate human action or omission of action. Security is not just the rules and the systems. We must engage the hearts and minds of the people. I reject the conclusion that this latest incident is typical of our workforce. Our people are dedicated to national security. Many have spent a large fraction of their lives contributing to our most important national problems. At the same time, we must insist that arrogance, carelessness and indifference to security not be an excuse for inadequate protection of our nation's secrets, regardless of the scientific accomplishments of the individual or the organization.
Our goal is zero security violations. We are accountable and committed to make the needed changes to improve our security. We can have science at its best and security at its best. Our nation needs both and should demand no less.
1. 1 DoD Insider Threat Mitigation: Final Report of the Insider Threat Integrated Process Team, available by subscription from http://www.insidedefense.com/
FAS | Government Secrecy | Congress ||| Index | Search | Join FAS