A spending tug of war

Because the National Nuclear Security Administration used funds for cybersecurity to cover the cost of strengthening physical safety at its facilities after last year's Sept. 11 terrorist attacks, the agency now has inadequate resources to protect its networks, an Energy Department official said.

Working from its fiscal 2002 spending account, DOE's NNSA had $555 million for safeguards and security. Of that, $58 million was earmarked for information security, according to the official, who asked to remain anonymous. But some of that money was reallocated to guards, their overtime pay and other physical defenses after the attacks, the source said.

The timing couldn't be worse.

"We're barely holding our own in being able to keep up our defenses," the official said. "We can handle the basic stuff, but [not] the really sophisticated ways of attacking and moving data."

It boils down to a spending tug of war, cybersecurity experts said.

After Sept. 11, my "first priority was to assure the safety and security of nuclear weapons, the weapons complex and its employees, special nuclear material and other high value assets," NNSA Administrator John Gordon wrote in the agency's budget request for fiscal 2003.

Gordon augmented protective forces and established a heightened security posture, according to the proposal. In addition, the agency formed a task force to recommend immediate improvements and develop an action plan for future enhancements.

The agency received $30 million in supplemental funding, part of which went to accelerate the deployment of near-term cybersecurity measures at all of its nuclear weapons complex sites, a DOE spokesperson said.

But "we're still short of funds," the Energy official said.

At NNSA, security is key. The agency takes a three-layer approach to its network architectures, similar to a bull's eye with green, yellow and red circles for unclassified/nonsensitive, sensitive and classified information, respectively, according to the official.

Although NNSA tracks and monitors red very well, the source said, yellow is weaker because the agency has had to devote its resources to the green layer, which has the most open access and limited firewall capability.

NNSA also doesn't have the funds to continue a project that addresses the so-called insider threat, posed by individuals with legitimate access to its networks, according to the source.

It's a threat the agency has dealt with in the past. In 1999, scientist Wen Ho Lee was charged with copying secret nuclear information from a secure computer at Los Alamos National Laboratory. In a separate case the next year, classified computer drives were reported missing and then found at the lab.

Despite a spate of problems, the alleged money transfer doesn't surprise cybersecurity experts. "It's consistent," said Eugene Spafford, professor and director of Purdue University's Center for Education and Research in Information Assurance and Security. "What we don't have enough of, in this realm in particular, is the kind of long-term thinking that has occurred in other areas."

Blaine Burnham, director of the Nebraska University Consortium on Information Assurance and a senior research fellow for the University of Nebraska at Omaha's College of Information Science and Technology, agreed. "Generally, it runs true to form with what has happened to cybersecurity budgets over time. It doesn't have the sizzle. Guards with big, barking dogs have lots of sizzle.

"That's not to say that the NNSA hasn't made an introspective analysis of where [its] needs are," Burnham said.

NNSA has asked Congress for $510 million for safeguards and security for fiscal 2003, with $72 million set aside for cybersecurity, but expects to get $66 million to protect its networks, the DOE official said, adding that the agency needs about another $30 million to get the job done.

"There's a lot of turmoil in the federal government in general trying to get all security — information and physical — sorted out," said Chip Lawson, business development director for Harris Corp.'s security-threat avoidance technology network group.

In a boon to cybersecurity, the Bush administration last month released a draft National Strategy to Secure Cyberspace. Some IT experts criticized the plan as too weak for not setting specific requirements for the public and private sectors.

DOE officials were unavailable for comment. n

Challenging mission Congress created the National Nuclear Security Administration in fiscal 2000 to carry out the Energy Department's programs in nuclear weapons, defense nuclear nonproliferation and naval reactors. Its facilities include Lawrence Livermore, Los Alamos and Sandia national laboratories. "They have possibly the most significant information and physical security challenge in the nation, if not the world," said Blaine Burnham, who previously held information assurance roles at the National Security Agency, Los Alamos and Sandia.