Computer security at center of DOE problems, top officials say

The former director of the Energy Department's Office of Safeguards and Security today outlined for Congress years of cybersecurity problems at the nation's nuclear weapons laboratories, claiming officials were aware of ongoing espionage but failed to do anything about it.

Edward McCallum, the former chief of DOE security who is now detailed to the Defense Department as the Pentagon's acting director of the Combating Terrorism Technology Support Office, said DOE officials "knew our greatest secrets were being stolen and . . . did nothing about it."

McCallum, who testified today before the House Armed Services Committee's Military Procurement Subcommittee, said efforts by his office dating to 1995 to enhance DOE cybersecurity met with "significant laboratory resistance" and ultimately failed. "Several laboratories and their program assistant secretaries in Washington, [D.C.], believed that protection, such as firewalls and passwords, was unnecessarily expensive and a hindrance to science," McCallum said. "A variety of computer security tools and techniques, such as encryption devices, firewalls and disconnect features, are required by policy; however, these policies were frequently ignored."

Retired Air Force Gen. Eugene Habiger, director of DOE's Office of Security and Emergency Operations, told committee members that during his review of DOE security measures, under way since he took the post in June, he discovered that the department had lost its focus on security. "By-products of this organizational dysfunction and lack of focus included . . . a lack of attention to our cybersecurity practices in a world of increased computer hacking and cyberterrorism," said Habiger.

McCallum identified the lack of protection afforded classified information systems and the ease with which that information could be transferred to and from classified systems as one of the DOE's primary security weaknesses. "Something as simple as using different size floppy disks between classified and unclassified systems was rejected as unnecessary," he said. "Indeed, I believe we are sitting at the center of the worst spy scandal in our nation's history."

Habiger also laid blame on Congress' failure to fund additional cybersecurity initiatives requested by DOE in the department's fiscal 2000 budget proposal. "We have valid requirements in the area of cybersecurity to buy hardware, encryption equipment and to train our system administrators," Habiger said. However, "simply stated, we have been given a mandate but not the additional resources to accomplish that mandate."