DOE clamps down on whistleblower for security leaks

In the aftermath of what may be one of the most damaging cases of espionage in U.S. history, the Energy Department has placed a former director of security on administrative leave for blowing the whistle on lax security—including failed computer-security practices—at a top nuclear weapons lab.

DOE officials claim Edward J. McCallum, the former director of safeguards and security for DOE, disclosed classified information during a phone call with an informant from the Rocky Flats, Colo. nuclear facility who detailed the security lapses to him.

That information, detailing significant failures in computer and network security across the department, became publicly available when Rep. Curt Weldon (R-Pa.), speaking on the floor of the House of Representatives this week, entered McCallum's statement into the congressional record.

According to Weldon, McCallum has been placed on "political administrative leave" for informing members of Congress about the various security problems at the facility and therefore embarrassing DOE. The revelations come as DOE grapples with the task of developing new counterintelligence and security procedures after China managed to steal highly classified nuclear weapons secrets.

In a written statement, McCallum alleged that DOE's computer security program suffers from a variety of problems, including an indiscreet relationship between classified and unclassified networks, a lack of guidance from the department on proper security procedures and a severe lack of system administrators trained and skilled in computer security.

Most of DOE's system administrators are responsible for developing their own network security architectures and procedures, but "many of them do not have the computer security background or knowledge to implement a sound computer security program," McCallum said. In addition, attempts to issue and enforce a comprehensive set of rules and regulations met with significant resistance, he said. "Several laboratories complained that providing protection such as firewalls and passwords were unnecessarily expensive and a hindrance to operations," he said.

McCallum also detailed security violations involving the processing of classified information on networks designed to handle only unclassified data. "My office has noted a number of problems in this area, [including the] failure to conduct classification reviews before placing information onto an unclassified processing system, intentionally creating unclassified data that is very close to classified data to ease processing, and using personal computers at home to process classified information," McCallum said.