Report berates DOE lab security

A report issued last week by a special panel of senior intelligence and security officials on what some experts are calling the worst case of espionage in U.S. history has increased the scrutiny of government computer security programs and policies and has caused many to question the government's commitment to information assurance.

The report comes just three months after President Clinton ordered a comprehensive review of security failures that allowed Chinese spies to steal an unknown amount of the United States' most sensitive nuclear weapons secrets from Energy Department research laboratories. The report concluded that midlevel managers throughout DOE have responded to the recent Chinese spy scandal with a "business as usual" attitude, while foreign nationals residing in "sensitive countries" continue to have unmonitored remote dial-up access to lab networks. The report was conducted by the President's Foreign Intelligence Advisory Board (PFIAB), which was led by former Sen. Warren Rudman, once chairman of the Senate Select Committee on Intelligence.

Until just a few weeks before the report was made public, panel members said they were approached by government users and other officials who informed them of enduring gaps in computer and network security, leading the panel to conclude that the computer networks at the nation's five weapons laboratories still are "riddled with vulnerabilities."

The report, "Science at its Best, Security at its Worst," follows a similar study conducted under Reps. Christopher Cox (R-Calif.) and Norman Dicks (D-Wash.), who headed the House select committee that investigated the Chinese espionage case. Twenty- six of the report's recommendations, which focus on improving cybersecurity measures and export controls on high-performance computers, were attached to the Defense Department's fiscal 2000 authorization bill.

The Rudman report has caused a stir on Capitol Hill and throughout the intelligence and security communities by concluding that many holes remain in the nation's information systems security programs and that the problems may be more widespread than once thought.

For example, senior military officials in Europe told FCW that routine security audits recently have discovered physical connections between unclassified and classified computer networks. The connections were left in place because operators found it too difficult or inconvenient to transfer unclassified files from one system to the other using floppy disks or e-mail. In addition, it was also discovered that simple misspellings can cause information to inadvertently pass through network guards designed to monitor classified information.

Speaking at the GovTechNet International Conference and Exposition in Washington, D.C., last week, Rep. Tom Davis (R-Va.) said computer security "has not been given enough emphasis in this country" and that not enough research is being done to study future vulnerabilities.

Steven Aftergood, an intelligence and security expert with the Federation of American Scientists, said it appears that security policy throughout the government is prone to be reactive rather than proactive in nature. "Unfortunately, security is often failure-driven instead of threat-driven," Aftergood said. "Instead of anticipating problems, large bureaucracies tend to wait until something goes wrong before taking action."

Allen Thomson, a former CIA analyst and a frequent contributor to FAS studies, called the cybersecurity failures at the weapons labs "absolutely routine bureaucratic behavior such as I saw many, many times both while at the CIA and afterwards."

According to Thomson, it took the CIA about a year to remove highly classified documents from a general access document retrieval system after the classified documents started to show up inadvertently in the document queue. "So was it then, so is it now and so - apparently - shall it ever be," Thomson said.

The three-month study of DOE's computer security program uncovered recurring problems, including poor labeling and tracking of computer media, problems with lax password enforcement on laboratory computer workstations and a significant failure to control access to sensitive and classified networks.

Computer security methods throughout DOE over the past two decades have been "naive at best and dangerously irresponsible at worst," the report said. "Computer systems at some DOE facilities were so easy to access that even department analysts likened them to 'automatic teller machines,' [allowing] unauthorized withdrawals at our nation's expense."

A DOE spokeswoman said last week that the department had not finished reviewing the report and was not ready to provide a response to it.

Last Wednesday, DOE Secretary Bill Richardson named a retired Air Force general, Eugene Habiger, as director of a new Office of Security and Emergency Operations. This office, created last month, incorporates the staff of chief information officer John Gilligan and is responsible for computer security.

The spokeswoman said she could not provide any information about Habiger's plans for computer security because he has not yet taken office. He is expected to join DOE in early July. Meanwhile, DOE is asking Congress for $50 million to fund computer security improvements over the next two years.