Science and Security
in the Service of the Nation:A review of the security incident
SEPTEMBER 2000
involving classified hard drives at
Los Alamos National Laboratory
A report to the
President of the United States
and the Secretary of Energy
by the Honorable Howard H. Baker, Jr.
and the Honorable Lee H. HamiltonSeptember 25, 2000
The President
The White House
Washington, D.C. 20500Dear Mr. President:
Pursuant to your request, herewith we transmit the report on our review of the security incident involving classified hard drives at Los Alamos National Laboratory.
Respectfully submitted,
Howard H. Baker, Jr.
Lee H. Hamilton
Enclosure
September 25, 2000
The Honorable Bill Richardson
Secretary of Energy
U.S. Department of Energy
Washington, D.C. 20585Dear Mr. Secretary:
Pursuant to your request, herewith we transmit the report on our review of the security incident involving classified hard drives at Los Alamos National Laboratory.
Respectfully submitted,
Howard H. Baker, Jr.
Lee H. Hamilton
Enclosure
Table of Contents Preface
Key Findings
I. Introduction
II. Los Alamos National LaboratoryA. History
III. The hard drive incident and its implications
B. The mission and its importance
C. NEST and its role
D. Science and securityA. What happened?
IV. Conclusion
B. Why did it happen?1. Were official policies, directives, and procedures deficient?
C. What preventive measures should be implemented?
2. Were official policies, directives, and procedures fully implemented?
3. Were lines of command and communication clear and effective?
4. Was DOE oversight effective?1. Organization
D. What are the implications of the hard-drive incident?
2. Security measures and procedures
3. Personnel actions
4. Resources
End Notes
Appendix
On June 13, we were asked by the Secretary of Energy to review the facts surrounding the loss of two hard drives containing significant quantities of sensitive nuclear information from the Nuclear Emergency Search Team (NEST) at Los Alamos National Laboratory (LANL). Preface
Our charter was neither to evaluate Department of Energy (DOE) security as a whole, nor to duplicate earlier efforts. Neither the time nor the resources devoted to this study would have permitted such an expansive scope, nor was such an effort necessary in light of the thorough report on security issues at the national laboratories issued last year by the Special Investigative Panel of the President's Foreign Intelligence Advisory Board (PFIAB) chaired by the PFIAB Chairman, former Senator Warren Rudman.
We were not asked to try to establish individual culpability, and we have not. Indeed we have carefully avoided any action -- e.g., interviewing the individuals already identified as having possibly been involved in the incident -- that might interfere with existing law enforcement efforts. As the investigation of this matter by the Federal Bureau of Investigation, the Justice Department, or the U.S. Attorney's Office in Albuquerque fall outside the scope of our authority, we make no comment on their activities.
Finally, based on the information available, in fact we do not know how or why the hard drives were lost, misplaced, or stolen. We do not know whether they remained in the copy room where they were ultimately found, or were returned there. And, we do not know what happened to them while they were missing. As far as we know, there is no proof on these points at this time, and therefore we draw no conclusion.
Without knowing what exactly happened to the hard drives, however, we aim to achieve a broader purpose. The following report to the Secretary and to the President of the United States reflects our assessment of the underlying causes of what happened and why, and recommends a number of corrective actions that might reduce the risk of future security lapses of this kind.
In conducting our review, we enjoyed full access to DOE policies, orders, and directives; interviewed dozens of individuals from inside and outside DOE, including other federal departments and agencies; sought additional views through the use of a questionnaire; conducted site visits to LANL and Sandia National Laboratories; and reviewed the extensive literature of past reports and assessments regarding the security issues at DOE and the national laboratories. These contributions are identified in the Appendix to this report. We wish to acknowledge with gratitude the comments -- written, and oral, solicited and unsolicited -- that were presented to us. Respect for the confidentiality of the individuals who provided them prevents us from acknowledging them by name, but we greatly benefited from their diverse perspectives.
We wish to thank Secretary of Energy Bill Richardson, Secretary of Defense William Cohen, Director of Central Intelligence George Tenet, Director of the Federal Bureau of Investigation Louis Freeh, Administrator of the National Nuclear Security Administration John Gordon, Director of LANL John Browne, Director of Sandia National Laboratories Paul Robinson, University of California Chancellor Richard Atkinson, and the other individuals with whom we met. All offered their full support and cooperation with our efforts. In particular, we would like to thank Senator Warren Rudman for sharing the insights he gained in carrying out the earlier PFIAB study, and for the support and assistance we gained from Randy Dietering and other PFIAB staff members, as well as through access to the archives from their earlier research.
We also benefited from the insights and perspectives of past officials and private citizens, including the men and women of Los Alamos National Laboratory. In addition, in preparing tnis report, we were assisted by John Tuck, Daniel Poneman, Howard Liebengood, and John Hartford.
Howard H. Baker, Jr.
Lee H. Hamilton
Key Findings
While it is unclear what happened to the missing hard drives at Los Alamos National Laboratory, it is dear that there was a security lapse and that the consequences of the loss of the data on the hard drives would be extremely damaging to the national security.
Among the known consequences of the hard-drive incident, the most worrisome is the devastating effect on the morale and productivity of LANL, which plays a critical national-security role for the Nation.
The current negative climate is incompatible with the performance of good science. A perfect security system at a national laboratory is of no use if the laboratory can no longer generate the cutting-edge technology that needs to be protected from improper disclosure.
It is critical to reverse the demoralization at LANL before it further undermines the ability of that institution both to continue to make its vital contributions to our national security, and to protect the sensitive national-security information that is critical to the fulfillment of its responsibilities.
Urgent action should be taken to ensure that Los Alamos National Laboratory gets back to work in a reformed security structure that will allow the work there to be successfully sustained over the long term.
The following actions -- to be commended to the President, the Secretary of Energy, the Administrator of the National Nuclear Security Administration (NNSA), and to the Congress -- should promote the vital objectives of restoring the performance of outstanding science and outstanding security at Los Alamos National Laboratory: 1. Organization
2. Security Measures and Procedures
- Clarify -- and simplify -- lines of command and communication.
- Establish clear accountability for security.
- Reinforce the position of the NNSA within DOE and the authority of the. NNSA Administrator.
- Formalize agreements allocating resources, responsibilities, and authorities among the entities responsible for the protection of sensitive nuclear information.
- Clarify the responsibility of the University of California.
- Strengthen cooperation with the Congress.
3. Personnel Actions
- Review security classifications and procedures regarding nuclear information and, especially, compendia of nuclear information.
- Implement security upgrades at LANL.
- Use advanced technology to respond more effectively to growing cyber security threats to sensitive nuclear information.
- Consult NEST members on security procedures for the NEST program.
- Review security measures adopted in other governmental entities and the private sector. Adopt or adapt best practices in the national laboratories.
4. Resources
- Define security to extend beyond the traditional elements of physical protection (guns, guards, gates), to include adequate attention to the morale and motivation of laboratory employees.
- Educate and train laboratory personnel, to reduce the "clash of cultures" between science and security.
- Eliminate "zero tolerance" policy on information security, so that security incidents can be reported and remedied without employee fears of undue reprisals.
- Provide adequate resources to support the mission of the national laboratories to preserve our nuclear deterrent, including the information security component of that mission.
- Ensure that security resources are properly allocated to conventional and cyber threats to our nuclear secrets.
I. Introduction
On June 1, the Director of the Los Alamos National Laboratory learned that two hard drives for use in laptop computers by members of NEST -- the elite emergency response team responsible for disabling nuclear devices at a moment's notice -- had been unaccounted for, for at least the past 24 days. On June 16, both drives were found behind a photocopier inside the security perirneter of X Division, but outside of the vault where they belonged.As part of its effort to address the serious security lapses laid bare by this episode, Secretary Richardson asked us to conduct an independent review aimed at establishing how and why this incident occurred, and to propose corrective actions. This report to the President and to the Secretary is the product of that review.
We are aware of the sensitivity of our task. The hard drive incident and other recent events have created a profound crisis of confidence within and around the Department of Energy. This crisis has jeopardized the Department's ability to fulfill successfully its critical role as the custodian of the Nation's nuclear weapons and nuclear secrets. To overcome the crisis, it is essential to regain the confidence of the Congress and the American people that our nuclear secrets are safe and secure. It is equally essential to regain the confidence of scientists that they and their work at LANL are highly valued.
The seriousness of this incident has focused enormous attention upon -- and created an opportunity to address -- the problems of security in the DOE complex. The Department should seize that opportunity. While the Department of Energy must bear the largest burden in this effort, uitimately the endeavor cannot succeed without strong support by the President and the Congress, as well.
By any measure, the loss of these hard drives constituted an extraordinary risk to our national security. How much damage occurred, if any, we do not know, as we do not know what happened to the drives during the period they were missing. And, as this report will show, despite the substantial gaps that remain in our knowledge about the particulars of the hard-drive incident, that such an episode occurred cannot be surprising once one has closely reviewed the institutional and practical shortcomings of security at the Los Alamos National Laboratory.
Our purpose is to review, not to investigate. We were not charged to assess blame, to identify a culprit, or to displace the role of any of the formal investigations surrounding this episode. The security lapse reviewed here reflected a cascade of events and decisions over many years, rather than a single misstep. Thus, while the Secretary of Energy must bear the burden of responsibility for ensuring that our nuclear secrets are safe and secure at the national laboratories, his predecessors must bear their fair share of the burden of the shortcomings documented in years past in the implementation of security measures.1
In the aftermath of the Cold War, many in government may have let down their guard in attending to security matters. Certainly the nature of the nuclear threat has changed since the days of family bomb shelters and air raid alerts. But, while the character of the security risks we face has changed dramatically -- from the prospect of all-out attack by the Soviet rocket forces to the far more amorphous but growing threat of nuclear proliferation spawning a terrorist nuclear incident somewhere in our midst -- those risks remain real and so does the need for rigorous security.
The national laboratories continue to be essential to our national security. Our most important nuclear secrets reside there. What our scientists do at LANL and the other national laboratories has been -- and continues to be -- integral to keeping this country strong and free. The service they have rendered the Nation since World War II has been invaluable and incalculable.
As the nature of the nuclear threat has changed with the times, so has the nature of the security threat to our nuclear secrets. For example, we need to understand -- and address -- the extraordinary security risk posed by high concentrations of sensitive nuclear weapon-related information in highly portable, easily-concealable forms such as small, removable computer disk drives. By clarifying how our security vulnerabilities have evolved, we may gain valuable insights into specific shortcomings in security practices and procedures at LANL, and elsewhere.
In that spirit, we have developed recommendations to reduce the risk that these kinds of security lapses will recur at LANL. In doing so, we have preserved the fundamental principles that have guided our atomic program since its beginning. These include the preservation of civilian control over our nuclear weapons arsenal, and of the deep sense of individual responsibility imbued in the custodians of that arsenal.
It is not sufficient, however, simply to guard against the loss of nuclear secrets. We must also promote a strong and vibrant scientific culture at our national laboratofies to continue developing the technological advances that secrecy is designed to protect. Our recommendations aim to advance both of these vital national objectives. Given the possible consequences of losing either our nuclear superiority or our nuclear secrets, our Nation and the custodians of our nuclear weapons complex can afford to do no less.
Past Studies of DOE Security
The President's Foreign Intelligence Advisory Board published a report in June 1999 on security problems at the U.S. Department of Energy. This report included an extensive analysis of approximately 115 investigations and reports -- by executive branch agencies including DOE, the Congress and the General Accounting Office, and independent panels -- conducted between 1979 and 1999. These documents record extensive security and counterintelligence problems in the Department and at the national laboratories. We also reviewed reports issued by GAO, DOE and independent panels that cover the 1999 to 2000 time frame. These reports address the following subject areas: the physical protection of sensitive nuclear data, materials, and technology; personnel security; foreign visitors and assignments; information security; security management, planning, and oversight; and counterintelligence. In its report the PFIAB panel concluded: "More than 25 years worth of reports, studies and formal inquiries ... have identified a multitude of chronic security and counterintelligence problems at all of the weapons Labs. These reviews produced scores of stern, almost pleading, entreaties for change. Critical security flaws ... have been cited for immediate attention and resolution ... over and over and over...." The reports published after the PFIAB report continue to comment on implementation problems in accomplishing Secretary Richardson's security initiatives, particularly concerning the continuing question of who has the authority, responsibility, and accountability for security management.
II. Los Alamos National Laboratory
A. HistoryLos Alamos National Laboratory has played a key role in the history of the 20th Century. It helped end World War II, through the extraordinary efforts of the brilliant and patriotic individuals who gathered there to work on the Manhattan Project -- chemists, physicists, soldiers, and many others from all over the country. Many were recent irnmigrants from other nations.
Despite their differences, a common purpose and destiny united these uncommon individuals. They won their race against time, and against a desperate and resourceful enemy who would stop at nothing to achieve world domination.
From the moment that President Franklin Roosevelt received Albert Einstein's 1939 letter outlining the explosive potential of atomic fission, scientist and government have worked in tandem -- if not always in harmony -- to build and maintain America's nuclear arsenal. So, from the very beginning, the science of Los Alamos has been closely tied to the government, in a long and productive partnership.
B. The mission and its importance
While the Cold War has ended, the mission of LANL and the other national laboratories remains essential to the national security of the United States. Some of the finest scientists in the world have gathered there, and the Nation depends on their unique work in preserving our nuclear deterrent. It is therefore essential to preserve the ability of the laboratory to conduct the leading-edge science that has helped keep America strong and free for the past half-century.
The scientists at our national laboratories know that. Indeed, that is why so many have chosen to work there. It is important to remember -- especially during the swirl of current events and sensational news reports -- that the vast majority of the scientists of Los Alamos are patriotic Americans who place high value on the well-being of our country. They have worked hard to improve the security of our Nation and its citizens, not to undermine it.
C. NEST and its role
The Nuclear Emergency Search Team is part of DOE'S program for preparing and equipping specialized response teams to deal with the technical aspects of nuclear or radiological terrorism. The NEST program was established in 1974 to provide technical assistance to the Federal Bureau of Investigation (FBI), which is responsible for investigating illegal activities -- including terrorist threats -- involving the use of nuclear materials within the United States. NEST capabilities include search and identification of nuclear materials, diagnostics and assessment of suspected nuclear devices, technical operations in support of render-safe procedures, and packaging for transport to final disposition. NEST assets are drawn from the Nation's nuclear weapons complex. Response teams vary in size from a five person technical advisory team, to a tailored deployment of dozens of searchers and scientists who can locate and then conduct or support technical operations on a suspected nuclear device. NEST personnel and equipment are ready to deploy worldwide at all times.
NEST is now fully integrated into the Federal response to nuclear or radiological terrorist incidents, whether at home or abroad. NEST experts include engineers, scientists, and other technical specialists from DOE's nuclear weapons laboratories and facilities, including Los Alamos National Laboratory, Sandia National Laboratories, Lawrence Livermore National Laboratory, the Remote Sensing Laboratory and the Pantex plant.
NEST specialized response teams include coordination, liaison, and advisory teams, search teams, technical operations teams, and planning support teams. These teams aim to provide a rapid, flexible response in support of the Lead Federal Agencies, i.e., the FBI, Department of State, or the Department of Defense, depending on the circumstances, to help resolve all technical aspects of the crisis. All response team deployments are directed by DOE headquarters, after coordination with other concerned agencies. This interagency process may involve strict operational security to protect classified or sensitive details of the response operation.
D. Science and Security
From the earliest days of the atomic age -- the debate between Leo Szilard and Enrico Fermi over whether to publish research concerning nuclear chain reactions, the historic struggles between J. Robert Oppenheimer and General Leslie Groves during the Manhattan Project -- the tensions between the need for science and the need for secrecy were evident. More than evident, these tensions were inevitable, in light of the nature of science and the nature of information security:
Despite this inherent tension, we believe that it is essential to promote good science and good security at LANL. Indeed, both science and security must be program objectives at LANL, and in NEST. While accommodations will be required to ensure that each objective adequately takes the other into account, neither can be sacrificed to the other. This country can boast a long and noble tradition of effectively protecting the science that has served our national security, by embedding the security mission in many of our Nation's most advanced scientific programs. The historical record supports the view that this tension is manageable and has, on the whole, been well managed for decades by the managers and scientists at the national laboratories. Regrettably, the exceptions to the rule have been dramatic, and have clouded this record, which makes it all the more important to respond effectively to those exceptions.
- Good science requires open access to information, freewheeling debate, and cross-fertilization of ideas.
- Good information security requires limited access to information, compartmentalized into small subject areas, parceled out on a need-to-know basis.
Role of the University of California
The University of California (UC) manages three laboratories for the U.S. Department of Energy: the Ernest Orlando Lawrence Berkeley National Laboratory and the Lawrence Livermore National Laboratory (LBNL and LLNL, respectively, both in California), and the Los Alamos National Laboratory in New Mexico. The university has managed the laboratories since their inceptions. LBNL was established in 1931, LANL in 1942, and LLNL in 1952. The three laboratories have a combined UC workforce of 18,000 people and operate on federally financed budgets totaling approximately $3.2 billion.
Contracts
The current contracts were approved by the UC Board of Regents and DOE in September 1997; they expire in September 2002. Compensation to UC under the contracts is based in part on performance, measured against objective, mutually agreed upon criteria. Much of the compensation is returned to the laboratories for research activities. As part of the annual performance appraisal process, the quality of science and technology at the laboratories is assess by a peer review process.
Oversight
The Board of Regents has ultimate authority for the university's laboratory management. The Regents' Committee on Oversight of the DOE Laboratories -- one of the board's eight operating committees -- considers matters related to laboratory management, reporting on these matters and referring action to the full board. With the approval of the regents and the concurrence of the DOE, the president of the University appoints the laboratory directors. Management oversight of the laboratories is delegated by the Regents to the university's president. The provost/senior vice president for academic affairs oversees scientific and technical programs at the laboratories; the senior vice president for business and finance oversees administrative functions associated with the university's laboratory management.
The UC National Laboratory Coordinating Committee reports to the University president on issues related to laboratory management. The group consists of the two senior vice presidents, and other senior managers in the UC Office of the President.
The UC President's Council on the National Laboratories advises the president and the regents on all aspects of laboratory management and operation. Appointed by the president, council members bring experience from academic and research institutions, private industry, and government and military service. About a third of the council members are also UC faculty members.
Reporting to the provost and senior vice president for academic affairs, the Office of Research and Laboratory Programs has responsibility for the programmatic and scientific technological oversight of the laboratories' performance. It supports the president's council, promotes scientific and academic interactions, and works to resolve programmatic and scientific issues.
The Laboratory Administration Office, part of the UC Office of the President, works closely with the laboratories and DOE to provide overall contract management and specific oversight in these functional areas: laboratory management, information management, facilities management, environmental safety and health, procurement and property management, human resources, financial systems, and safeguards and security.
III. The hard-drive incident and its implications
A. What happened?Within the limitations on our mandate, noted in the Preface to this report, our review produced the following observations about what happened to the disk drives:
B. Why did it happen?
- Two hard drives, each about the size of a deck of cards and used in laptop computers carried by NEST members in exercises and missions to render nuclear weapons safe, were unaccounted for at least six weeks (May 7-June 16), and quite possibly for five months (January-June) . While the absence of the two drives was noted on May 7, senior LANL management was not informed until June 1.
- On June 16, both drives were found behind a photocopier inside the security perimeter of X Division, but outside of the vault where they belonged.
- These drives contained sensitive nuclear information, which, if it fell into the wrong hands, could facilitate the development and design of a nuclear weapon by entities hostile to the United States and U.S. interests.
- At a minimum, the missing drives resulted from a security lapse, because by definition it is a "reportable incident of security concern" -- according to applicable DOE dircctives2 -- for these drives to be outside of the control of the NEST members, unaccounted for, and left in-- or returned to -- a copying room.
1. Were official policies, directives, and procedures deficient?
We did not find evidence linking the loss of the hard drives to either the presence or absence of official DOE policies, directives, and procedures for the protection of classified information. DOE policies, directives, and procedures for the protection of classified information are, in general, rigorous and thorough. Indeed, we had some concern that the rules were so numerous as to be needlessly complex and confusing. DOE security rules and regulations properly call for a high degree of safeguarding and protection of information relevant to nuclear weapon design and manufacture. In recent years, particularly following the Wen Ho Lee incident, DOE has increased security within the Department, first with the promulgation of PDD-61, which, among other things, established an Office of Counterintelligence within DOE, and later with a series of measures adopted by Secretary Bill Richardson. These included the appointment of a "security czar" and the requirement that key laboratory personnel submit to polygraph examination. Following the hard-drive episode, the Secretary ordered a number of further actions to bolster secuity.3 While we question the effectiveness of certain of these actions, we applaud the heightened priority given to security that they reflect.
Even after the significant security enhancements in recent years, we identified a number of shortcomings in official policies and procedures that existed at the time the drives were lost. A number of these have already been addressed in the Secretary's June 19 directive:
Common sense dictates that security procedures should be predictable over time and consistent among all individuals who have access to sensitive nuclear information, i.e., the policy and overall standards should not vary by laboratory or even by agency. Moreover, because the laboratory employees understand better than anyone the sensitivity of the information being protected, or how they work with that information on a day-to-day basis, those employees should be consulted about the impact of the implementation of rules and any proposed changes to the rules.
- Compendia of sensitive nuclear information should be subjected to higher standards of protection. Many of the officials we interviewed expressed the opinion that the documents that were contained on the missing hard drives were properly classified as SECRET/ RESTRICTED DATA, under the standards set forth in the Atomic Energy Act of 1954. We have no basis to challenge that conclusion. We believe, however, that, even if that is the case, the aggregation of all that data in such a concentrated format qualitatively altered the risk presented by the potential loss or diversion of the drive.
- Resources devoted to information security should be either reallocated or increased. Good security is expensive and we need to provide resources adequate to the task. This has not always occurred, despite the strong rhetorical support given to protecting nuclear secrets. While we need to continue to provide security against conventional threats, we also need to ensure that we are devoting sufficient resources to the growing cyber threats to our nuclear secrets. Moreover, the security issue cannot be isolated from the general deterioration of the buildings and working conditions in the nuclear weapon program, which leads to crowding, makeshift security arrangements (e.g., the NEST vault was shared with another LANL program) and, ultimately, low morale. Low morale breeds errors, including security errors.
- Relationships among key entities should be formalized. Interviewees commented on the confusion created by the lack of formal agreement governing resources, authorities, and responsibilities applicable to the entities -- including NEST, DOE (headquarters and field office), DoD, laboratories, contractors -- with some role in protecting nuclear secrets.
- Specific security improvements should be ordered. In the wake of the loss of the hard drives, the Department of Energy has considered a series of security improvements. A number have been ordered, e.g., through the Secretary's June 19 security directive. We recommend that implementation of the following measures be reviewed by the NNSA in consultation with LANL personnel, to strengthen security:
- Encrypting classified data on disk drives;
- Signing in/out procedures in vaults;
- Forbidding "dual-hatting" of vaults, e.g., with NEST and non-NEST computers and data;
- Requiring bar-coding of disks, documents, and equipment;
- Building teams with consistent membership and committment to mission, to enhance smooth coordination of the handling of highly classified information; and
- Restricting access to sensitive NEST information to those with a clear need to know.
Entities involved in Los Alamos security
Entities involved in the security management and oversight of LANL:
This does not include the significant "work for others" involving compartmented, special access, and other sensitive information that includes security management and oversight by the owners of the projects and information.
- DOE headquarters, including at least five major Department offices (Security & Emergency Operations, Office of Counterintelligence, Office of Intelligence, Independent Oversight & Performance Assurance, Inspector General), in addition to the headquarters elements of the NNSA (Defense Nuclear Counterintelligence, Defense Nuclear Security, and the three Deputy Administrators);
- DOE program offices;
- Contracting officers, contract administrators, and security offices at the DOE Albuquerque-based operations, field, and area offices;
- The University of California;
- Management, staff, and support offices of the laboratory itself.
- Security procedures should be subject to greater predictability, consistency and consultations with laboratory employees. Too often rules have changed frequently, sometimes at the level of laboratory sub-units, and without consultation with the affected employees. At times these rules or changes appear to have responded to political pressures emanating from the press or Congress. This has produced anomalous situations, e.g., where lab employees have not been able to run computer programs needed for their work because they take longer than the time between bathroom breaks. This unsettled situation is as bad for security as it is for morale.
2. Were official policies, directives, and procedures fully implemented?
Official policies and directives were not fully implemented in the hard drive incident. Even if the hard drives never left X Division, taking them out of the vault without accounting for them clearly violated established procedures. Nor could it have been proper to place them behind a copier in a nearby room. Further, according to the existing rules and procedures, once noted, the absence should have been reported within eight hours to the Associate Laboratory Director for Nuclear Weapons and to the Director of Security at LANL. This was not done.
An alternate view has been suggested that, insofar as the reporting of the loss is concerned, the operative policies and procedures were followed. In our meetings with laboratory employees (none of whom were among those identified as potentially involved in the incident), we heard the view that the drives were not truly "missing" until laboratory employees established (on May 30) that two hard drives had not been deployed to a sister laboratory for an exercise. LANL security officials confirmed that the hard drives were missing on May 31. Under that analysis, there would have been no obligation to report the drives missing to laboratory management until June 1. Hence, there was no improper delay, in contrast to the general view that there was a three-week delay in reporting the lost drives.
Laboratory management, however, dismissed that alternative view as without foundation, adding that laboratory employees knew full and well that as soon as they had identified the anomaly on May 7, the eight-hour clock for reporting began to tick. In addition, the LANL Security Office denied having supported any alternative view, as had been suggested in the preceding paragraph. The DOE manual4 on protection of classified information states that "[a]ny person observing, finding, or with knowledge of the loss or potential compromise of classified information shall immediately report this information to the facility security officer." At a minimum, the fact that laboratory employees might view a three-week delay in reporting as consistent with good security bespeaks a lack of understanding of -- or respect for -- the rules in effect.
3. Were lines of command and communication clear and effective?
No. The confusion of lines of command and communication was clearly demonstrated to us from our initial interviews with relevant officials and laboratory employees. Some DOE officials with direct oversight of NEST believed that LANL management was responsible for security. The Acting Deputy Administrator of NNSA for Defense Programs, however, acknowledged that his office was responsible for security in the NEST program. The DOE "security czar" had authority over budget and policies, but was not part of line management for LANL or NEST. Within DOE, the role of various offices within headquarters and the Albuquerque Operations Office was unclear.
LANL management thought DOE was essentially responsible for labotatory security, particularly with the appointment of a DOE "security czar." LANL security personnel believed that the NEST program was "special" and somehow exempt from normal LANL security oversight. NEST members believed they were subject to inconsistent guidance from varied and uncoordinated sources.
While the University of California contract to manage and operate LANL clearly assigns responsibility for security to the University, officials there appear not to have focused on this responsibility. Indeed, the former Chair of the President's Advisory Committee on the National Laboratories, an eminent and experienced scientist with decades of experience in intelligence and nuclear weapons issues, told us that he had no idea the University had this responsibility.
Lines of command and communication that are so greatly confused cannot be effective, and we conclude that thcy were not. The inevitable result of this confusion is a widespread lack of a sense of personal responsibility and accountability for security, which tends to appear to be someone else's problem.
To his credit, Secretary Richardson recognized this diffusion of authority and tried to redress it through the establishment of a "security czar," officially the Director of the Office of Security and Emergency Operations (SO). The "security czar" was invested with policy oveisight, and budgetary authority, and Secretary Richardson appointed a distinguished retired general to that position. While well intentioned, we conclude that the creation of a "security czar," who appears to operate from outside of the line organization, ultimately cannot succeed. Instead, it offers a convenient office in which to repose the responsibility but not the authority for security -- ultimately an untenable situation. We further believe that, with the establishment of the NNSA. the responsibility and authority for security at LANL and the other weapons laboratories must be vested in the Administrator of the NNSA, and run right down the line management of that organization to the individual employee.
4. Was DOE oversight effective?
DOE oversight did not identify or disclose in advance the specific shortcomings that contributed to the security breach of NEST, in this instance. Once the hard-drive incident occurred, however, DOE oversight responded expeditiously and thoroughly, issuing an interim report in less than a month and completing its final report in September.
As in line management for security, in the area of oversight there has existed a confusion of responsibilities, as there were two offices led by senior DOE officials with apparent oversight responsibility and authorities. One was the "security czar" discussed above. The other was the Office of Independent Oversight and Performance Assurance, established by the Secretary of Energy in 1999, which is led by a career DOE official. The Office of Independent Oversight and Performance Assurance has responsibility for providing the Secretary of Energy and senior DOE managers an independent assessment of the effectiveness of DOE policy and site performance, including in such areas as safeguards and security, cyber security, and emergency management. Comments from our interviews reflect confusion over the respective oversight roles of these two entities.
Part of the problem in oversight of NEST reflected the deteriorating relationship between LANL employees and the relevant oversight bodies in the wake of the Wen Ho Lee affair. Independent oversight requires vigorous auditing of the line organization -- from outside the line -- to identify security deficiencies and possible correctives. The auditing process should ultimately be one of give and take -- in the form of finding and response -- that promotes the common goal of the best possible security at the laboratory. Where that shared commitment is lost, e.g., where laboratory employees' concerns of criminal prosecution undermine their commitment to full candor in response to oversight, the oversight function cannot be effectively executed. Our interviews suggest that this has begun to occur at LANL.
* * * On balance, while we cannot exclude the possibility of deliberate misconduct, if the hard drives were in fact simply misplaced through human error, the foregoing section suggests that such an error cannot be surprising when one considers the situation of the NEST members:
- ambiguously lodged in a. confused hierarchy,
- subject to unclear and diffuse authority,
- undisciplined by a clear understanding of accountability for security matters, and
- frightened or intimidated by the heightened sense of personal vulnerability resulting from recent security lapses and efiorts to redress them.
The challenge we face is how -- while preserving the best science in the world -- to ensure that appropriate procedures are in place and followed and that each individual with access to nuclear weapon information views the proper care of sensitive materials as a critical part of his or her mission. The recommendations in the following section seek to address this challenge.
C. What preventive measures should be implemented?
We identified a number of corrective actions to be commended to the President, the Secretary of Energy, the Administrator of the National Nuclear Security Administration (NNSA), and to the Congress. Taken together, they should facilitate the exercise of strong, unified leadership over nuclear security matters at Los Alamos:
1. Organization
2. Security Measures and Procedures
- Clarify -- and simplify -- lines of command and communication. The direct responsibility for security must be united with the responsibility of line operations. Management and direction of security in the line operations of NEST should be vested in a single office. The oversight function should be consolidated and clearly established outside of the line of management of the laboratory.
- Establish clear accountability for security. It should be clear to all -- inside and outside the DOE -- who is responsible for security in the chain of command governing NEST. That individual should be held accountable to the Secretary of Energy and to the Congress for the security surrounding NEST planning and operations. The roles of the various units at DOE (National Nuclear Security Administration, Security and Emergency Operations, Office of Counterintelligence, Office of Intelligence, Independent Oversight and Performance Assurance, Inspector General, and Albuquerque Operations Office), the University of California, the management of LANL, and the Department of Defense in the NEST chain of command should be simplified and clearly codified in a formal document. Accountability for NEST must be dear whether its members are in garrison or in the field.
- Reinforce the position of the NNSA within DOE and the authonty of the NNSA Administrator. Because the newly established NNSA is responsible for the preservation of our nuclear deterrent, it is critical that the NNSA and its Administrator enjoy the full confidence of the President, the Secretary of Defense, Secretary of Energy, and the Congress, and be provided with sufficient authority (through delegations from Congress and die President) and resources to carry out this vital national security mission. In performing that mission, the Secretary of Energy and the NNSA Administrator should be guided by the national security policies established by the President, and coordinated through the National Security Council process.
X Division
The Applied Physics (X) Division ("X Division") is responsible for nuclear weapons design and related subjects in theoretical and computational physics. The division has a lead role in assessing the safety, reliability, and performance of the weapon systems in the nation's enduring nuclear stockpile. Its activities include analyzing emerging proliferation threats and developing response options, as well as using associated technical expertise in nondefense technologies.
X Division technical staff members interact extensively with the Departments of Energy (DOE) and Defense, the intelligence community, other DOE laboratories, and the United Kingdom's atomic weapons establishment. They also provide operational support in response to nuclear emergencies, plus expert advice to government agencies in support of treaty negotiations and foreign interactions.
X Divisions's core technical capabilities lie in numerical simulation and developing physics models of complex problems that require the coupling of multiple processes. Expertise includes:
- Physics design and assessment of nuclear and nonnuclear weapons,
- Integrated analysis of nuclear weapons output and effects,
- Numerical algorithm development (hydrodynamic and transport solution methods),
- Plasma physics and electromagnetic theory,
- Particle and radiation transport applications,
- Physics design of intertial confinement fusion (ICF) targets and experiments,
- Materials models development,
- Integration and implementation of large-scale numerical simulation models, and
- Scientific visualization and user interfaces.
- Formalize agreements allocating resources, responsibilities, and authorities among the entities responsible for the protection of sensitive nuclear information, including the Department of Energy, its elements and contractors, the Department of Defense, and the Intelligence Community, to assure the consistent handling of RESTRICTED DATA in all of these entities.
- Clarify the responsibility of the University of California, the management and operations contractor for LANL, for the performance of its employees in meeting contract requirements, including satisfying security requirements. As long as the University remains responsible for management and operations at LANL, the security function should be integrated into laboratory management, not taken away from the University and transferred elsewhere.
- Cooperate with the Congress. The NNSA and the Department of Energy should work closely with the Congress, which has traditionally played a strong oversight role over our Nation's nuclear establishment since the dawn of the atomic age, to continue to rebuild trust and confidence in the management of the national laboratories.
3. Personnel Actions
- Review security classifications and procedures regarding nuclear information and, especially, compendia of nuclear information. Compendia of classified data should be encrypted and should be classified in accordance with their collective sensitivity, not purely as a function of the highest classification of a single document.
- Implement security upgrades at LANL. NNSA and LANL should continue to consider a variety of possible security improvements -- physical, technical, and procedural -- such as vault-access procedures, bar-coding of classified media, disk-tagging, self-destroying disks, two-person rules, restricting access to sensitive NEST information, and others.
- Modernize our approach to evolving security threats to sensitive nuclear information. The NNSA, LANL and the NEST should adapt 21st Century security improvements to 21st Century risks, e.g., by investing in cyber security through the use of encryption and other electronic means to protect nuclear information. NNSA and NEST should consider the use of secure telecommunications instead of hand-carried hard-drives during field deployments as a means to increase security while reducing administrative burdens.
- Consult NEST members on security procedures to which they will be subject, to give them a stake in their own procedures, and to avoid self-defeating "made in Washington" rules that make the problem worse not better.
- Review security measures in use in other governmental entities and the private sector, and adopt or adapt best practices for national laboratories.
4. Resources
- Define security to extend beyond the traditional elements of physical protection (guns, guards, gates), to include adequate attention to the morale and motivations of laboratory employees. Employees must be provided with the necessary resources and modern facilities necessary for their work, and they should be consulted in matters that affect their mission, including implementarion of security policies.
- Educate and train LANL personnel. These programs should be designed to reduce the "clash of cultures" between science and security, including through open discussion of this historic tension. It should instill improved security consciousness, animated by understanding of national security risks, rather than by fear of job loss or prosecution.
- Eliminate the "zero tolerance" policy on information security, so that security incidents can be reported and remedied without employee fears of undue reprisals.
D. What are the implications of the hard drive incident?
- Provide adequate resources to support the mission of the national laboratories to preserve our nuclear deterrent, including the information security component of that mission. Congress should consider significant appropriations to upgrade our facilities dedicated to preserving a safe and secure nuclear deterrent.
- Ensure that security resources are properly allocated to conventional and cyber threats to our nuclear secrets. Consider how advanced technologies may be deployed to enhance security -- corresponding to the increased vulnerability that cyber threats and other advanced technology pose to nuclear secrets -- with a view toward methods that can significantly enhance security, while reducing costs and administrative burdens.
Beyond the assessment of what happened and why, our review of this episode underlined the fact that no security. procedures or physical barriers can substitute for individual commitment to security. After all, the Los Alamos scientists and engineers walk in and out of X Division every day with the most sensitive nuclear information in their minds. Neither airtight procedures nor robust deployments of guns, guards, and gates can alter that immutable fact. For this reason, security must be viewed not as a burden levied by outsiders upon laboratory employees, but rather as an integral part of the employees' mission to assure that America has the nuclear technology it needs, but that her foes do not. Fortunately, we have found that this deep commitment to security, although buffeted by recent events, still exists in the laboratory employees we had the opportunity to visit.
Our meetings with X Division and NEST members, however, did reveal that the combined effects of the Wen Ho Lee affair, the recent fire at LANL, and the continuing swirl around the hard-drive episode have devastated morale and productivity at LANL. The employees we met expressed fear and deep concern over the influx of FBI agents and yellow crime-scene tape in their workspace, the interrogation of their colleagues by the FBI and by federal prosecutors before a grand jury, and the resort of some of their colleagues to taking a second mortgage on their homes to pay for attorney fees. The inevitable anxiety resulting from these circumstances collectively has, by all accounts, had a highly negative effect on the ability of LANL and the other national laboratories to continue to do their work, while attracting and maintaining the talented personnel who are the lifeblood of the cutting-edge work of the laboratory. This is particularly true in X Division and NEST, but seems to be a factor in the lab as a whole.
In that context, we also take note of the strong opposition to polygraphy expressed by the scientists at LANL, on philosophical and scientific grounds. Obviously it is well beyond the scope of this review to assess whether the information-security gains of the current polygraph protocol, as administered, outweigh the possible national security losses in accelerating attrition among our national-laboratory scientists. We therefore welcome the study of the costs and benefits of that security tool by the National Acaderoy of Sciences.
The current demoralization at LANL is dangerous. Once issues of management oversight give way to criminal investigation, and laboratory employees fear that committing a security error may expose them not just to management discipline, but to prosecution and imprisonment, any hope that individuals will volunteer information that could reflect security lapses is annihilated. To be sure, if crimes were committed they should be prosecuted, but we must recognize that the general criminalization of security lapses will tend to bury security deficiencies under a welter of self-justifications and active or passive failures to cooperate with oversight organizations. Ultimately this will erode both the security surrounding our nuclear secrets and the ability of independent oversight organizations to discover them. Poor morale breeds poor security, because the protection of our nuclear secrets ultimately depends on personal loyalty, commitment to mission, and care by laboratory employees, as much as on physical barriers or other external measures.
The ability of LANL and the other national laboratories to attract and retain top talent has already been eroded, and now stands at serious risk. If the national laboratories lose the ability to attract and retain top talent, then U.S. national security will be seriously harmed. That harm may be long lasting, in light of the specialized nature of nuclear weapon design technology and the inexorable attrition through retirement and other departures of the dwindling numbers who understand them thoroughly.
It is doubtful that the DOE, NNSA, LANL, and the University of California will be able effectively to redress either security or management lapses in the midst of a continuing criminal investigation or prosecution. It is critically important to national security that the internal disruptions at LANL be brought to a swift and orderly conclusion, and that the new management structure of the NNSA take all necessary measures to put the laboratory back to work, and to establish the conditions that will be conducive over the long term to the development of leading-edge science in a safe and secure environment.
We must promote a strong and vibrant scientific culture at our national laboratories to continue developing the technological advances that secrecy is designed to protect. The great tradition of loyal Americans generating creative ideas in the performance of world-class science must be preserved.
The current negative climate is incompatible with the performance of good science. A perfect security system at a national laboratory is of no use if the laboratory can no longer generate the cutting-edge technology that needs to be protected from improper disclosure. Further, to remain in the forefront of nuclear-technology development, our scientists need to be able to communicate and collaborate with scientists in other national laboratories, in universities, and in other nations.
We conclude that it is critical to reverse this demoralizatton before it further undermines the ability of Los Alamos National Laboratory both to continue to make its vital contributions to our national security, and to protect the sensitive national security information that is critical to the fulfillment of their responsibilities.
Comments from LANL employees
On August 8, we visited LANL and held two roundtable sessions -- on a not-for-attribution basis -- with members of X Division and the NEST. Representative comments are summarized here:
Our work load is increasing, but staff is declining.
Politicians come here and say they want "the best and the brightest." But why would the best and the brightest work here?
Politicians have the power to destroy the laboratory but not to recreate it in time of need. The nuclear weapons business is a guild system. It takes a long time to build.
It is imperative for national and global security to keep our nuclear stockpile, so stockpile stewardship is critical. The quality of background investigations has deteriorated. A Q badge is not worth what it used to be. They should abolish L clearances from this building. I do not want to be in a building where we can't speak freely.
All of the recent relaxations of security have been over the objections of the laboratory. None of the laboratory's security recommendations were accepted.
Offer an amnesty with a reasonable [administrative] punishment, if you want the truth about the hard drives.
We're walking down a canyon and it is getting tighter and tighter, and you're not getting a pedigree on the disks.
NEST members are hard-working, security-conscious people.
This emphasis on punishment has lost us 50 percent of computing-science people in the past three years.
There is a lot of misdirected security.
The guidance we get is routinely inconsistent and frequently absurd. If you give nerds absurd guidance it won't work. Give them sensible and consistent guidance and they'll do their best.
I've been here 22 years. We are in this death spiral without trust and respect, and I don't know how to get it back.
We are completely divorced from security. The relationship is totally adversarial. Security has no vested interest in our mission. You should have a team with security, ES&H [Environment, Safety & Health], all with a vested interest in the program.
The safest and most secure way to do work is not to do any work at all.
A year ago, I'd be inclined to try to work with Security. Now I'm scared... and it ain't worth it. What they want is someone to crucify. They are not interested in solving the security problem. I ain't gonna talk to anybody, which is not the best way to keep security in this place.
A year ago they [oversight officials] were partners. Now they are policemen.
Three to four years ago Albuquerque [Operations Office] encouraged increased reporting of security violations and we were naive enough to believe it. So the incidents shot up, but then the rain came down and they started coming after us.
The political process has created gray areas, such as UCNI [Unclassified Controlled Nuclear Information], which introduces complacency. We should separate classified from unclassified information clearly and cleanly.
We've lost the third "S." We've got the safety and security, but we have forgotten the science.
If you lose the best, you can turn this place into an arsenal, but you cannot keep world-class science.
Zero infractions, zero tolerance, zero work, zero IQ.
People are making up rules at the division and group level that make no sense.
My continued involvement in NEST is hanging by a thread, because I have colleagues locked out of their offices.
IV. Conclusion
In undertaking this assignment, we believed. that we had an opportunity to make a constructive contribution to a difficult problem. This problem did not begin with our involvement with it, and will not end with our report.This report cannot be read as a broad critique of the individuals who serve at LANL, or in X Division. We recognize that the vast majority of these individuals are dedicated, patriotic, conscientious contributors to our national security, and protectors of our nuclear secrets. Their extraordinary record ofaccomplishment is legendary, dating back to the Manhattan Project.
To understand that security breaches are the exception rather than the rule, however, cannot alleviate the irreversible damage that even one major loss of classified data can cause. Rather than shrink from taking on a task so demanding, we urge DOE to embrace the challenge as an opportunity to apply the same energy and creativity that it has always shown to its highest program objectives. This imposes a heavy responsibility on our public servants, but we are confident they can meet it.
These have been hard times at Los Alamos, between the tragic fire and the security issues that have dominated the headlines in recent months. In visiting Los Alamos, we came to understand the very different perspective the scientists there bring to all issues -- including security -- and view that difference as a source of strength, not weakness. We saw the anger and anxiety there, and it causes us great concern. If these problems are not addressed, the cutting-edge science that has served America so well will be placed in jeopardy.
In our meetings at LANL, we saw that many scientists fully appreciate the need for good security practices to fulfill the fundamental national security mission of the laboratory to maintain a safe and secure nuclear deterrent. Understandably, the scientists expressed the strong desire that these security practices be reasonable and practical, and that they be consulted on new security procedures before they are imposed.
It is reasonable for the Congress and the American people to be assured that our nuclear secrets are safe and well protected. It is reasonable for the LANL employees to be assured that their contributions to the national security are appreciated and that they will be provided a safe and secure environment -- politically as well as physically -- in which to work.
These reasonable expectations can all be met, we believe, if we can move beyond traditional tensions so that science and security reinforce one another in the service of the Nation. Our purpose, through this report to the Secretary of Energy and to the President, is to help resolve security concerns, to recommend reform measures for consideration, to reassure Los Alamos National Laboratory of the trust the country places in. laboratory personnel as custodians of our deterrent, and to reassure all Americans that their trust is well placed.
Working together, we believe that we can achieve that purpose, and set the stage for an exciting new period at Los Alamos National Laboratory, where the character of the scientific activity may change but its quality will not, where the great tradition of the scientists who have made breakthrough after breakthrough will be strengthened and continued, and where the Nation will honor their accomplishments and thank them for their invaluable efforts in defense of our freedom and security.
1. The PFIAB published a report in June 1999, based on the analysis of approximately 115 external and internal reviews, investigations, audits of security at the Department and national laboratories dating from 1979 to 1999, that identified a multitude of chronic security and counterintelligence problems at all of the weapons laboratories. End Notes
2. For example, DOE Order 471.2A, Information Security Program; DOE Order 471.2-lB, Classified Matter Protection and Control Manual, Chapter IV; and X Division 025-069 Vault -- TA-3, SM-43, Room A222A -- rules of use.
3. The June 19, 2000 memorandum from the Secretary of Energy required nuclear weapons laboratories to implement a number of measures, including improved control over entering and exiting classified vaults, supported by the maintenance of logs, evaluation of existing vault procedures; encryption of certain media, and other measures. These and other DOE security initiatives are included in the Appendix.
4. DOE Order 471.2-1B, Classified Matter Protection and Control Manual, Chapter IV.