Cybersecurity holes persist at DOE labs, study finds

Despite what may be the worst spy case in U.S. history involving nuclear weapon design data, the computer networks at the nation's five weapons laboratories continue to be "riddled with vulnerabilities," according to a report by a special investigative panel of intelligence and security officials.

According to the report, "Science at its Best, Security at its Worst," issued this month by the President's Foreign Intelligence Advisory Board, midlevel managers throughout the Energy Department have responded to the recent Chinese spy scandal with a "business as usual" attitude, while foreign nationals residing in "sensitive countries" continue to have unmonitored remote dial-up access to lab networks.

The three-month study uncovered recurring problems with DOE's computer security program, including poor labeling and tracking of computer media, problems with lax password enforcement on laboratory computer workstations and a significant failure to control access to sensitive and classified networks.

Computer security methods throughout DOE over the last two decades have been "naive at best and dangerously irresponsible at worst," the report said. In fact, "computer systems at some DOE facilities were so easy to access that even department analysts likened them to 'automatic teller machines,' [allowing] unauthorized withdrawals at our nation's expense," the report said.

Security audits also uncovered what the report calls "remarkable" lapses in addressing security problems and procedural gaps at many DOE labs. According to the report, it took DOE 31 months to write and approve a network security plan, 24 months to order security labels for mislabeled software, 20 months to ensure that improperly stored classified computer media had been safeguarded and 51 months to properly safeguard cryptographic material used to secure telephones. It even took 11 months to remove a deceased employee from classified document access lists, according to the report.

The report also outlined instances of classified information being placed on unclassified networks well after the department had developed a corrective action plan in July 1998. "The predominant attitude toward security and counterintelligence among many DOE and lab managers has ranged from half-hearted, grudging accommodation to smug disregard," the report concluded.