Letter from POGO to DOE Secretary Bodman regarding unnecessary ongoing cybersecurity weaknesses
The Honorable Samuel W. Bodman
U.S. Department of Energy
1000 Independence Avenue, SW
Washington, DC 20585
Via Facsimile: (202) 586-4403
Dear Secretary Bodman:
The Project On Government Oversight is writing to voice our concern over the Department of Energy’s (DOE) failure to adequately oversee the Los Alamos National Laboratory (LANL) and, in particular, its failure to implement the long-promised plan to go media-less. The DOE’s National Nuclear Security Administration (NNSA) recently abdicated responsibility for overseeing both safety and cybersecurity at Los Alamos to the contractor, despite LANL’s unbelievably bad track record in both areas. Even more absurd is that the DOE would trust LANL to investigate and police its own breaches of safety and security.
As you know, on October 20, 2006, Los Alamos police found classified information from LANL during a drug bust at the home of a former LANL subcontractor employee, an incident becoming known as “CREM de meth.”
Police found three memory sticks containing 408 separate classified documents and an additional 456 hard-copy pages of classified documents, including some classified as Secret-National Security Information (pertaining to intelligence) and Secret-Restricted Data (pertaining to nuclear weapons). It was only by chance that the drug raid turned up these documents – proving that the cybersecurity problem is far from solved.
The “CREM de meth” drug bust at Los Alamos is just the latest in a bizarre series of incidents involving unauthorized removal of classified information and missing classified data from LANL. For instance, there was the infamous case in 2000 in which computer hard drives holding classified and highly sensitive Nuclear Emergency Search Team (NEST) information went missing. The hard drives mysteriously reappeared weeks later behind a copying machine. No fingerprints were found on the hard drives. Furthermore, between 2002 and 2004 there was a rapid-fire series of seven instances of missing or mishandled classified computer equipment and Classified Removable Electronic Media (CREM).
It is absurd that six years after Wen Ho Lee pleaded guilty to mishandling national security information from the lab that LANL personnel can still walk out with a USB memory stick, which can hold large amounts of highly classified data. It is equally absurd that such a junior subcontractor employee could have such a high clearance as Sigma 15, which gave her access to the most sensitive information in the complex. In 2004, the Department of Energy and LANL claimed they were going to eliminate CREM by going to a diskless environment by 2009. As POGO pointed out at the time, the five-year timeline is ridiculously drawn out, and it has allowed the sense of urgency to fix this problem to fade.
The solution to this problem isn’t rocket science – and is not expensive. The major focus should be on ensuring the security of the classified computing system. Classified inter-agency reviews of the threats to the nuclear weapons complex all came to the same conclusion: resolving the risk presented by an “insider” employee needs to be the priority. In fact, Sigma 14 and 15 information was supposed to be given the first priority for going media-less and being protected against the insider threat.
Attached are copies of documents used in a meeting at the Lawrence Livermore National Laboratory in late August 2000 detailing a plan to go media-less across the entire nuclear weapons complex in less than six months at a cost of $10 million to $15 million. This plan was killed by the NNSA. Only now, six years later, is NNSA implementing a stop-gap measure – injecting glue into the USB ports – to prevent the use of removable media until DOE is able to go media-less.
We hope you will take quick and decisive action to implement a more meaningful and permanent media-less system at all nuclear weapons facilities, and especially at the Los Alamos National Laboratory. We would like to discuss a specific plan and timeline to implement this system. We look forward to working with you to resolve this problem once and for all.