A GAO Report released Friday the 13th found that “significant information security control weaknesses remain on LANL’s classified computer network. LANL had vulnerabilities in several critical areas, including (1) identifying and authenticating the identity of users, (2) authorizing user access, (3) encrypting classified information, (4) monitoring and auditing compliance with security policies, and (5) maintaining software configuration assurance.”
The report explains that LANL spent approximately $433 million from fiscal years 2001 through 2008 to operate, maintain, protect, and procure equipment for its classified computer network. The largest expenditure for the classified computer network was for high-performance computing, which accounted for $322 million (or 74 percent) of total expenditures. LANL began to expand the classified computer network in 2005, accounting for $48 million (or 11 percent) of total expenditures during the fiscal year 2001 through fiscal year 2008 period. Expenditures for special initiatives, such as the Integrated Cyber Security Initiative and Multi-Platform Trusted Copy program, accounted for $19 million (or 4 percent) of total expenditures. The core classified cyber security program, which serves as the foundation of LANL’s protection strategy for the classified cyber security program, accounted for $45 million (or 10 percent) of total expenditures over the period.
Clearly, the Lab was more focused on high-performance computing rather than focusing on protecting the nation’s nuclear secrets, or maybe the Lab thought everything was OK.
This GAO report comes after the DOE Office of Enforcement devoted significant attention to monitoring compliance with a Secretarial Compliance Order that was issued in July 2007. Specifically, the DOE Secretary directed the contractor for the Los Alamos National Laboratory – Los Alamos National Security, LLC – to remediate deficiencies that contributed to a breach of classified information security controls and to correct longstanding deficiencies associated with classified information security, and classified and unclassified cyber security programs. Los Alamos National Laboratory reported that the actions were completed by December 2008, and the DOE Los Alamos Site Office formally validated completion of the required actions.
But problems were still not corrected. To satisfy the above July 2007 DOE Compliance Order, the laboratory reaccredited all classified computer systems. During 2008, as part of its reaccredidation process, LANL revised risk assessments for classified computer systems and included the results in the system security plans. However, of the five system security plans the GAO reviewed, one plan’s risk assessment did not adhere to the latest methodology and did not include evidence of a comprehensive threat analysis, as required by DOE. Furthermore, the remaining four plans noted that all known threats and vulnerabilities were not evaluated to determine risks. Without comprehensive risk assessments, risks to certain systems may be unknown and appropriate controls may not be in place to protect against unauthorized access to or disclosure of sensitive information, or disruption of critical systems and operations.
What’s the problem? A Special Report from the Government Computer News tells us –
According to data reported by the U.S. Computer Emergency Readiness Team (US-CERT), reported attacks on U.S. government computer networks climbed 40% last year, and more infiltrators are trying to plant malicious software they could use to control or steal sensitive data. Accounts of unauthorized access to government computers and installations of hostile programs rose from a combined 3,928 incidents in 2007 to 5,488 in 2008, The latest report, issued in February 2009, represented a small sampling – just 1% of federal agencies have fully developed tracking systems – and some of the uptick in reported attacks may be due to better reporting in the last year.
Government networks are targeted by foreign nations seeking intelligence, such as China and Russia, as well as criminal groups and individuals who may want to disrupt power, communication or financial systems. Some attackers are less interested in stealing data than in undermining a system’s ability to operate by planting software that could slow critical networks in emergencies. Security industry observers expressed alarm about phishing, in which seemingly legitimate e-mails solicit sensitive information, and ‘web redirects,’ which shunt a computer to a website where it downloads malicious software. According to reports, fewer attacks are being used to take down an organization’s entire IT system. Instead, attacks now penetrate IT systems without impairing them, primarily to siphon out sensitive information without detection.