Lee indictment ignites polygraph, security debate
The Energy Department has issued new counterintelligence regulations in the aftermath of a security breach at a national laboratory that call for polygraph examinations of hundreds of agency employees, including highlevel political appointees who have access to classified information and computer systems.
The Energy Department has issued new counterintelligence regulations in the aftermath of a security breach at a national laboratory that call for polygraph examinations of hundreds of agency employees, including high-level political appointees who have access to classified information and computer systems.
But the rules have reheated a debate among members of the scientific and computer security community about whether polygraph technology is an effective counterintelligence tool.
DOE issued the rules Dec. 13, three days after the Justice Department indicted a former DOE employee, Wen Ho Lee, on 59 counts of altering, concealing and removing sensitive data from classified computer systems at the Los Alamos National Laboratory.
According to the indictment, Lee is alleged to have collected information from a classified network and then altered and downloaded the information to an unclassified portion of the network, "with the intent to injure the United States and with the intent to secure an advantage to a foreign nation."
In a memorandum sent last week to all DOE department heads, DOE Secretary Bill Richardson said the questions that will be asked as part of the department's "Counterintelligence Polygraph Implementation Plan" will be limited to "narrowly focused topics of espionage, sabotage, terrorism, intentional unauthorized disclosure of classified information...and deliberate damage or malicious misuse of a U.S. government or defense system."
Of the 800 DOE and contractor personnel targeted by the new polygraph rule, many will come from offices involved in Internet and network security. The Office of Independent Oversight and Performance Assurance and the Office of Safeguards and Security will test personnel who are regularly engaged in Internet security assessments and digital file transfer operations, according to the memorandum.
According to the charges, Justice believes Lee made deliberate attempts during a six-year period to conduct unauthorized transfers of classified information that dealt with various aspects of the U.S. nuclear weapons and research program. Lee is accused of creating 19 archive files containing restricted data classified at both the secret and confidential level and transferring those files to the unclassified portion of the network. The indictment also alleges that he downloaded weapon design data to various tape drives.
Steven Aftergood, an intelligence specialist with the Federation of American Scientists, said the new polygraph policy is unlikely to improve cybersecurity at the department, although it may help raise awareness about security issues.
"The new policy strikes me as incoherent," Aftergood said. "If the polygraph is an effective security tool, it should be employed throughout the work force at sensitive facilities. But if it is a bogus technology that is prone to error, it should not be used at all.... More security does not always mean better security, and the new policies could end up doing lasting damage to our national security technology base."
Members of the General Accounting Office division with oversight of DOE security programs said they have never looked to polygraph tests in the past as a method for solving security issues, and they were also skeptical about how effective the new regulation would be.
"In the bulk of the cases, these [security] problems boil down to the Department of Energy not following their own rules," said William Fenzel, assistant director of Energy audits at GAO. "So putting one more layer in place is just one more rule that probably won't be enforced."
Mark Lowenthal, a former deputy assistant secretary of State for intelligence, said he is skeptical about the utility of polygraphs, largely because of the cases in which they have not worked.
For instance, convicted spies Aldrich Ames and Larry Wu-tai Chin "both passed [polygraphs] while actively engaged in espionage," he said.
However, although State and Congress do not use them, Lowenthal said he does not see any alternative to the polygraph's use.
In a report on the fiscal 2000 intelligence authorization bill, the Senate questioned the accuracy of polygraph technology and called on the counterintelligence community to identify alternative technologies. "Given the potential unreliability of the polygraph system, the committee believes that alternatives to the polygraph should be explored," the report stated.
DOE heard from dozens of other experts and employees departmentwide who raised similar concerns and argued that the use of the polygraph would prevent the department from attracting and retaining the best scientific talent available. Although some experts recommended to DOE several alternatives, including enhancing computer security and external surveillance systems, DOE rejected those recommendations.
"DOE does not believe that it is necessary to spend more money on additional external security enhancements since its systems already are among the best in the federal government," states the final DOE ruling. "Additional enhanced external security measures by themselves provide little protection against the cleared employee who decides to engage in espionage."
NEXT STORY: Administration warns state systems not Y2K-ready