How Do You Spell PASSWORD? LANL Gets Bad Cyber Report
It turns out that cyber security for running supercomputing networks at a national nuclear weapons laboratory may not be much different than cyber security for the rest of us emailing, social networking, and watching kitten videos. All of us need to reasonably vigilant with passwords and software updates. The difference is that when you and I use lame passwords and don’t update our software, we don’t put national security at risk.
The DOE Investigator General (DOE IG) released a report that identified continuing concerns in LANL cyber security program. These concerns have been going on for years. A 2006 report revealed that critical cyber security internal controls and safeguards were not functioning as intended and monitoring by both laboratory and Federal officials was not adequate. Weaknesses with LANL’s cyber security program were also identified at least as far back as 2002.
A temporary shutdown of the Lab for nearly seven months (July 2004 to January 2005) because of a security flap might have cost as much as $370 million, but the exact amount can’t be calculated because of the way the lab recorded its activities according to General Accounting Office congressional investigators in 2005. Apparently, exact amounts are hard for the Lab to come up with. The DOE IG, for its cyber report, said, “Although LANL spends a significant amount of funds on information technology (IT) activities, we were unable to obtain an accurate amount due to the Laboratory’s limited ability to track its IT spending.”
How do you spell PASSWORD?
The DOE IG found that, “Network servers and devices were configured with default or easily guessed login credentials or required no authentication. For example, 15 web applications and 5 servers were configured with default or blank passwords.” Additionally, two network servers had the possibility to accept connections from anybody without the use of authentication or similar access controls. Also, 10 network servers could have allowed unauthorized remote control.
Those pesky software updates –
And, “LANL had not fully implemented existing security patch management and vulnerability management procedures. Specifically, tests of 191 network servers supporting LANL’s financial applications and data or providing core network services revealed that 73 (38 percent) were running operating systems and client applications without current security patches…” The DOE IG also found that LANL continued to maintain a significant number of operating systems, client applications and other various software that was no longer supported.
To be fair, the DOE IG reported that LANL “improved the protection of national security systems and data through the elimination or disablement of data ports on machines containing classified information.” This partially refers to the Lab’s low-tech program of injecting a popular two-stage epoxy into USB ports. I’m not sure that qualifies as an IT solution.
No passwords. No updates. How does this happen at nuclear weapons laboratory? Two things – First, the Lab contractor does not perform. Second, oversight is lacking. The DOE IG stated that, “The issues identified occurred, in part, because of a lack of effective monitoring and oversight of LANL’s cyber security program by the Los Alamos Site Office, including approval of practices that were less rigorous than those required by Federal directives. “ The Los Alamos Site Office is a DOE office and is tasked with providing immediate federal oversight of the Lab and making sure that our taxpayers’ dollars are spent wisely.
Unfortunately, DOE continues to relax its grip of oversight of the Labs. Continuing cyber security issues are only one manifestation of this letting go. We need a strong DOE Secretary, a strong NNSA administrator, and strong Congressional oversight as we head towards zero nukes if we hope to hold the nuclear weapons complex contractor accountable.