The Honorable Samuel W. Bodman
U.S. Department of Energy
1000 Independence Avenue, SW
Washington, DC 20585
Via Facsimile: (202) 586-4403
Hard copy to follow
Dear Secretary Bodman:
As you know, the Project On Government Oversight (POGO) has long been concerned about security in the nuclear weapons complex. Cyber-security at the Los Alamos National Laboratory (LANL), in particular, is an embarrassment. It has become impossible to excuse or explain the continuing security breaches:
- In the Jessica Quintana case, the young employee of a sub-contractor had been left alone in a Sensitive Compartmented Information Facility with a monitor equipped with ports and thumb drives, and hundreds of pages of classified documents were later discovered during a methamphetamine drug bust at her home.
- Los Alamos National Security official Harold Smith, a former long-time senior LANL employee with top clearance, emailed sensitive classified documents from an unsecured laptop.
- Several weeks ago, another cleared LANL employee sent a classified email to an uncleared employee using the unclassified yellow network.
Security debacles just keep happening. (I have attached a list of some of those security incidents at LANL over the last few years.) They will continue to happen because the punishments meted out usually amount to a slap on the wrist and provide no deterrence to future violations. For example, in Harold Smith's case, I understand he only received a letter of reprimand in his file. In the Quintana case, University of California (UC) refused to pay the $3 million fine the Department of Energy (DOE) finally levied for the incident. UC claimed the 11th Amendment to the Constitution prohibited the federal government from fining the institution, a bizarre and fallacious claim. When challenged by House Energy and Commerce Committee Chairman John Dingell and Subcommittee Chairman Bart Stupak, UC backed down, claiming their lawyers made a mistake.
The lack of punishment for those who deserve it stands in stark contrast to the treatment of employees who attempt to address security breaches, usually to the embarrassment of the contractor. Those conscientious employees are almost always punished. POGO has numerous examples of DOE whistleblowers being put on administrative leave for months, losing their clearances, or being demoted for trying to protect national security.
There are two fundamental reasons why LANL continues to flail under your watch. First, is the relatively new policy DOE has implemented at Los Alamos that allows the contractor to investigate itself when there is a security breach or safety violation. This is so clearly a conflict of interest, it shouldn't require explanation. Yet we will provide one: The institution investigating itself will minimize the problem in order to limit any possible damage and embarrassment. Tasking the contractor with investigating itself in cases of security failures is not working.
The second reason is that Title 32 of the National Nuclear Security Administration Act seriously limits the Office of Independent Oversight's access to NNSA sites. Because of the NNSA Act, those investigators from DOE headquarters must wait for an invitation from NNSA before they are allowed to investigate an incident. POGO respectfully requests that you reinstate the policy of immediately deploying your Independent Oversight officials to independently investigate security incidents at nuclear weapons facilities, particularly LANL.
The policy change is urgently needed in light of the chaos and the incompetence at the DOE's Los Alamos Site Office (LASO). A draft NNSA evaluation report on LASO, "Headquarters Biennial Review of Site Nuclear Safety Performance Los Alamos Site Office" found that the office only met expectations for four out of fourteen nuclear safety oversight and assessment processes. The report (attached) found the office needed "continued improvement in most functional areas," had "significant gaps in meeting NNSA requirements" in multiple areas, and that there were "significant weaknesses in the LASO capability to accomplish its mission." To put it bluntly, DOE's local oversight function is foundering.
You shouldn't be shocked by this finding. In 2004, NNSA formed a commission chaired by retired Admiral Hank Chiles to "develop recommendations for recruiting and retaining sufficient security experts to effectively oversee safeguards and security in the NNSA complex in the long term." The commission found that the site offices did not have the capability to oversee the contractors.
You will never learn the facts about the actual state of security in the nuclear weapons complex, and in particular at LANL, without the benefit of independent oversight. You have the power to unleash that independent oversight: under 42 U.S.C. § 7144, you can direct the Office of Independent Oversight, and/or request that the Inspector General, conduct a comprehensive investigation of the ongoing cyber-security problems at LANL. Until now, investigations have been limited in scope to particular incidents. A comprehensive, independent investigation will be your only avenue to address the stubborn unwillingness by the contractor to implement recommended solutions and to hold people accountable. The time for action has long passed, and we sincerely hope you use the tools at your disposal to fix this problem.
Deputy Secretary Clay Sell
NNSA Administrator Tom D'Agostino
NNSA Principal Deputy Administrator Bill Ostendorff
House Energy & Commerce Committee Chairman John Dingell
House Energy & Commerce Committee Ranking Member Joe Barton
House Oversight & Investigations Subcommittee Chairman Bart Stupak
House Oversight & Investigations Subcommittee Ranking Member Ed Whitfield
Attachment: A List of Some Los Alamos Security Incidents
A List of Some Los Alamos Security Incidents
July 2007 – Los Alamos lab worker with "highest possible security clearance," and with access to the sensitive TA-55 plutonium building, arrested in cocaine drug bust. SOURCE: KRQE
June 2007 – Los Alamos board member sends highly classified email message unsecured, comprising "the most serious breach of U.S. national security." SOURCE: Time Magazine
May/June 2007 – Los Alamos staffer takes lab laptop containing "government documents of a sensitive nature" with him on vacation to Ireland, where it is stolen. Los Alamos scientist sends highly classified email over unclassified networks to the Nevada Test Site. SOURCE: Newsweek
October 2006 – Classified information from Los Alamos found during methamphetamine drug raid. SOURCE: POGO
June 2006 – NNSA Administrator Linton Brooks informs Congress that computer hackers obtained access to detailed personal information, including Social Security numbers, for about 1,500 DOE contract workers in September 2005. Yet neither the workers whose personal information was compromised, nor the DOE's cyber-security head were notified about the incident. SOURCE: Associated Press
July 2004 – POGO reports that 17 incidents of classified information from Los Alamos were sent over unclassified networks. On July 23, 2004, DOE shuts down operations involving Classified Removable Electronic Media (CREM) across the entire nuclear weapons complex. SOURCE: POGO
May 2004 – Classified computer media goes missing at Los Alamos. Lab claims it is "a single accounting discrepancy." SOURCE: POGO
December 2003 – Los Alamos confirms that computer disks were identified as lost during an "inventory of classified computer media." In total, ten disks were lost. SOURCE: POGO, LANL
January 2003 – A computer hard drive that contained classified data had been missing from Los Alamos since October 2002, but top officials at DOE failed to investigate the loss. On January 16, 2003, then-DOE Secretary Spencer Abraham issues statement saying: "I am deeply troubled that Los Alamos National Laboratory is unable to account for computer equipment and other materials as part of lab management's inventory control and audit program." SOURCE: POGO, DOE
November 2002 – Documents leaked to POGO show that more than 200 computers are missing, some from top secret programs. A January 2003 report by the DOE Inspector General later corroborates the findings, and scolds Los Alamos for firing the officers who wrote the memo. SOURCE: POGO, DOI Inspector General
January 2002 – Computer data containing nuclear weapons design information goes missing. LANL locates the missing disk. SOURCE: POGO
June 2000 – Two hard drives containing nuclear weapons secrets disappear at Los Alamos. They are mysteriously found several weeks later behind a copy machine with all finger and palm prints wiped off. SOURCE: LANL
March 1999 – Wen Ho Lee, a Los Alamos nuclear weapons scientist, is investigated by the FBI for allegedly downloading nuclear secrets onto his hard drive.