DOE office reviews, tightens security

The Energy Department, which suffered some of the most damaging computer security breaches in government, has begun to tighten security through a newly established office, according to government auditors and DOE security experts.

Last month, the Office of Independent Oversight and Performance Assurance released its first reviews of the national nuclear weapons laboratories. The Los Alamos National Laboratory improved its security posture to "satisfactory," the highest rating under the office's three-tier system, while Lawrence Livermore and Sandia laboratories were rated as "marginal."

The ratings indicate that security at the labs has improved, and they mark a return to the department's practice of reviewing facilities instead of just "profiling" them, said evaluators from the General Accounting Office.

The profiles were a "status check rather than a rating," said Ken Lightner, a GAO evaluator who has been following DOE oversight and security operations. "What we've seen since April...is they're back doing inspections again."

DOE created the Office of Independent Oversight and Performance Assurance in May as part of a new departmentwide security strategy created in response to computer security holes that led to China's alleged theft of U.S. nuclear secrets The office performs three functions:

It reviews the safeguards and security at all of the Energy facilities.

It performs real-time cybersecurity reviews, including continual vulnerability and intrusion scanning.

The most important changes have been made in the new position the oversight office has within DOE, an arrangement that allows the office to work with program people to solve security problems, a senior department official said.

"Part of the problem with this department is that we have too many people looking for problems and not enough fixing them," the official said. "We feel like we are making a difference in the department now."

The office's independent position within DOE has been questioned in the past, but because the office's managers report to only Energy Secretary Bill Richardson, with occasional briefings to Congress, office officials feel they are responsible to no program within the department. GAO agrees that it is possible for a group to be independent, even though it is still inside an organization.

"It is theoretically possible to have independent oversight within an organization, as long as that entity is insulated from policy concerns," said William Fenzel, a GAO evaluator. "But it's also helpful to have the external oversight...and Energy has not been lacking that in the past six months."

The oversight office works with chief information officer John Gilligan; the department's new "security czar," Eugene Habiger; and counterintelligence director Edward Curran, the department official said. There are weekly meetings to talk about issues, status, problems and successes, but the policy groups run the meetings and only call on the information and knowledge of the oversight office, he said.

In addition, the attitude of the office toward the facilities being reviewed has changed in a way that can only benefit the department, the official said. "We try not to be like neo-Nazis and just embarrass everyone," he said. "We try to come in and find out how we can help people."

The office plans to help improve security by returning to each facility to check if each item mentioned in the reviews are fixed, rather than showing up months later and finding that nothing has been done, he said.