Lab’s Cyber Security Still Not Trustworthy

A GAO Report released Friday the 13th found that “significant information security control weaknesses remain on LANL’s classified computer network. LANL had vulnerabilities in several critical areas, including (1) identifying and authenticating the identity of users, (2) authorizing user access, (3) encrypting classified information, (4) monitoring and auditing compliance with security policies, and (5) maintaining software configuration assurance.”

The report explains that LANL spent approximately $433 million from fiscal years 2001 through 2008 to operate, maintain, protect, and procure equipment for its classified computer network. The largest expenditure for the classified computer network was for high-performance computing, which accounted for $322 million (or 74 percent) of total expenditures. LANL began to expand the classified computer network in 2005, accounting for $48 million (or 11 percent) of total expenditures during the fiscal year 2001 through fiscal year 2008 period. Expenditures for special initiatives, such as the Integrated Cyber Security Initiative and Multi-Platform Trusted Copy program, accounted for $19 million (or 4 percent) of total expenditures. The core classified cyber security program, which serves as the foundation of LANL’s protection strategy for the classified cyber security program, accounted for $45 million (or 10 percent) of total expenditures over the period.

Clearly, the Lab was more focused on high-performance computing rather than focusing on protecting the nation’s nuclear secrets, or maybe the Lab thought everything was OK.

This GAO report comes after the DOE Office of Enforcement devoted significant attention to monitoring compliance with a Secretarial Compliance Order that was issued in July 2007. Specifically, the DOE Secretary directed the contractor for the Los Alamos National Laboratory – Los Alamos National Security, LLC – to remediate deficiencies that contributed to a breach of classified information security controls and to correct longstanding deficiencies associated with classified information security, and classified and unclassified cyber security programs. Los Alamos National Laboratory reported that the actions were completed by December 2008, and the DOE Los Alamos Site Office formally validated completion of the required actions.

But problems were still not corrected. To satisfy the above July 2007 DOE Compliance Order, the laboratory reaccredited all classified computer systems. During 2008, as part of its reaccredidation process, LANL revised risk assessments for classified computer systems and included the results in the system security plans. However, of the five system security plans the GAO reviewed, one plan’s risk assessment did not adhere to the latest methodology and did not include evidence of a comprehensive threat analysis, as required by DOE. Furthermore, the remaining four plans noted that all known threats and vulnerabilities were not evaluated to determine risks. Without comprehensive risk assessments, risks to certain systems may be unknown and appropriate controls may not be in place to protect against unauthorized access to or disclosure of sensitive information, or disruption of critical systems and operations.

What’s the problem? A Special Report from the Government Computer News tells us –

According to data reported by the U.S. Computer Emergency Readiness Team (US-CERT), reported attacks on U.S. government computer networks climbed 40% last year, and more infiltrators are trying to plant malicious software they could use to control or steal sensitive data. Accounts of unauthorized access to government computers and installations of hostile programs rose from a combined 3,928 incidents in 2007 to 5,488 in 2008, The latest report, issued in February 2009, represented a small sampling – just 1% of federal agencies have fully developed tracking systems – and some of the uptick in reported attacks may be due to better reporting in the last year.

Government networks are targeted by foreign nations seeking intelligence, such as China and Russia, as well as criminal groups and individuals who may want to disrupt power, communication or financial systems. Some attackers are less interested in stealing data than in undermining a system’s ability to operate by planting software that could slow critical networks in emergencies. Security industry observers expressed alarm about phishing, in which seemingly legitimate e-mails solicit sensitive information, and ‘web redirects,’ which shunt a computer to a website where it downloads malicious software. According to reports, fewer attacks are being used to take down an organization’s entire IT system. Instead, attacks now penetrate IT systems without impairing them, primarily to siphon out sensitive information without detection.

Operations at Plutonium Facility stood down due to fire suppression system

In the latest of a string of fire system deficiencies on Wednesday September 30th, LANL management declared the fire suppression system inoperable in PF-4 at TA-55. Facility activities were placed in stand-by mode, which were still stood down as of three weeks later on Oct. 23rd.

DNFSB explained that the stand down was based on recent hydraulic calculations that concluded the system does not achieve the water density coverage required. Basically, the sprinklers in 13 of approximately 100 fire suppression areas at PF-4 cannot meet the current required gallons per minute estimated to effectively extinguish a fire. (Read the Oct. 2nd-23rd DNFSB reports)

One has to wonder – What is the cost to the taxpayer of PF-4 being stood down for nearly a month?

These reports come on the heels of last week’s DNFSB recommendation that the Lab must immediately do something about its risk to the public of a seismically induced fire at PF-4, which was estimated to exceed the DOE guidelines by more than 100 times. In a worst-case situation, an earthquake-induced fire could set free enough breathable plutonium that a person on the perimeter of the facility would receive a lethal dose of radiation.

Speaking of seismically induced fires, I am reminded of a March 2007 LANL report, Seismic Fragility of the LANL Fire Water Distribution System (LA-14325), which explains how numerous valves in the fire water distribution system at the Lab would have to be manually closed to insure proper pressure to facilities on fire after a seismic event.

Granted, these may be low probability events, but they have high consequences. The Lab is playing with fire by not adequately funding upgrades to its existing fire systems now, before embarking construction of any new facilities.

Los Alamos Director Anastasio’s Two Hats

Apparently the National Nuclear Security Administration reimburses Los Alamos National Security LLC (LANS) $397,341 for LANL Director Anastasio’s salary. Then LANS LLC pays him another $400K to promote the NNSA agenda from which LANS LLC derives a profit. During all this time Anastasio also acts as President of the for profit LANS (for which he gets a combined total of $800K).

Which hat does Anastasio then wear when the country needs his best advice? Obama wants the Comprehensive Test Ban Treaty ratified as one beginning step toward a nuclear weapons-free world. The Labs want the Senate to attach “Safeguards” to the Treaty during the ratification process that will have the contrary effect of enshrining nuclear weapons design and production capabilities into perpetuity. LANS profits from those capabilities.  How do we know that Anastasio will give untainted advice on serious questions such as whether this country will genuinely lead toward enhanced global security through the verifiable multilateral elimination of nuclear weapons?

For more on what the nuclear weapons labs want through CTBT Safeguards see our September 2009 press release:

Labs Seek “Stockpile Modernization” Through Test Ban Ratification “Updating” of Treaty “Safeguards” to Protect Nuclear Weapons Budgets

Los Alamos – Plutonium Center of Negligence

An October 27 press release from the Project on Government Oversight (POGO)
Defense Board Catches Los Alamos Trying to Dodge Plutonium Safety Vulnerability” revolves around a new Defense Nuclear Facilities Safety Board (DNFSB) revelation of public safety vulnerability and seismic issues at TA-55 (The Lab’s plutonium Technical Area).

The DNFSB has been very patient on the safety issues at TA-55. In a September 23, 2005 weekly report, they stated that LANL needed to try to justify a passive confinement strategy, continue plans to reduce radioactive materials, and to seismically upgrade the glove-box supports that have not already been upgraded. These issues are still unaddressed as of the latest DNFSB report.

Seismic issues run deep at Los Alamos. NNSA currently has plans to construct and operate the Chemistry and Metallurgy Research Replacement–Nuclear Facility (CMRR–NF) to support plutonium operations as a replacement for portions of the Chemistry and Metallurgy Research (CMR) facility, a 1950’s structure that faces significant safety and seismic challenges. In 1999, a fault was discovered under the old CMR building, which has been neglected, contaminated, and has several abandoned wings. This fault was the major reason given to build a new facility 1.2 miles away at TA-55.

The Lab has big plans for plutonium. In December 2008, NNSA released a Record of Decision for its Complex Transformation Environmental Impact Statement that keeps manufacturing and research and development involving plutonium at Los Alamos and blesses the building of the CMRR-NF. This decision was a combination of two alternatives – a Distributed Centers of Excellence and a Capability-Based alternative. But to compensate for the nearby fault lines, the CMRR-NF is now being designed with 10-foot thick concrete floors and there are plans being designed to pump grout into a layer of fragile volcanic ash under the proposed facility. Current construction estimates for this facility are $2 billion.

The Lab has been negligent in taking care of its plutonium flagship, TA-55. It has not been a good steward of plutonium missions. Los Alamos is the wrong location, seismically. Congress must seriously consider ending this unnecessary plutonium work.

Scroll to top