Los Alamos National Lab again under fire for weak computer security

Information security weaknesses continue to plague Los Alamos National Laboratory, according to the Government Accountability Office, which reported on Friday that the lab failed to allow only authorized users access to the network.

In its report last week, GAO identified numerous network vulnerabilities in several critical areas of the laboratory, which manages operations at nuclear facilities. Among the weaknesses were failures to identify and authenticate users, authorize user access, encrypt classified information, monitor compliance with security policies, or check that security settings are up to date.

The National Nuclear Security Administration oversees the laboratory, which is managed by Los Alamos National Security, a consortium of contractors. According to GAO, NNSA policy states that individuals must not share passwords except in emergency circumstances or when there is an overriding operational necessity, and passwords on sensitive systems should be changed at least every six months. The administration also requires the lab use two-factor authentication whenever possible. Two-factor authentication requires a user to provide two sets of identity such a username and password, and possibly a smart card or a fingerprint.

"[The lab] did not always manage passwords securely on the classified computer network," GAO investigators said. "As a result of this weakness, increased risk exists that insiders with malicious intent could guess the passwords of other individuals and use them to gain inappropriate access to classified information."

In addition, users were granted access to more computer files than needed to perform their duties and classified systems were not configured with necessary security controls, according to the report.

Although the lab made some improvements to information security in the past couple of years, the latest report highlights "a number of high-profile security lapses," GAO noted. In October 2006, evidence obtained during a drug-related investigation in Los Alamos, N.M., revealed that classified information saved on a thumb drive and some paper documents had been improperly removed from the laboratory. The incident followed others, including when the lab could not account for the classified removal of electronic media such as compact discs and hard drives. In 2000, two pieces of removable media containing nuclear weapon designs used by the Energy Department were lost temporarily, and in 1999, a scientist transferred classified information from Los Alamos computer systems onto unmarked discs, which he then removed from the laboratory.

NNSA generally agreed with GAO's recommendations, including stricter risk assessments for systems connected to the classified computer network and policies that contain specific instructions on how to implement federal and departmental security requirements. GAO also recommended that that lab implement a policy to mark the classification level of information in documents and files stored on the classified computer network, and develop and maintain an inventory of all documents and files stored on the network.

Vulnerability scans should be conducted to test the security for all systems connected to the classified computer network, and security management should be centralized to make enforcement of laboratory policies easier. The lab also should develop a plan that details how cybersecurity improvements will be maintained and funded.

In addition, GAO recommended NNSA review federal cybersecurity staffing requirements at the Los Alamos office to determine if more personnel is needed.