National laboratory needs to tighten security

A US Department of Energy (DOE) report on inadequate security controls on computers used for classified and unclassified research...

A US Department of Energy (DOE) report on inadequate security controls on computers used for classified and unclassified research at the Los Alamos National Laboratory is calling on the facility to tighten the security of its hardware.

The report said inventory controls over the lab's 5,000 laptop and 40,000 desktop computers were not robust enough, with some machines never being entered into an inventory database. The report follows an investigation the agency began in 2002. 

The lab keeps two separate inventories of its computers, according to the report. One property management system, called Sunflower, lists all machines used in the facility, while a second list tracks only the classified machines used in the lab's Sensitive Compartmented Information Facility (SCIF).

Out of a sampling of 450 single-user, standalone classified desktop computers used at the lab, eight had valid property numbers but had never been entered into the Sunflower system, according to the report. Three other classified machines had never been issued property management numbers and were also not in the system. 

Los Alamos' "listing of classified desktop and laptop SCIF computers was not completely accurate" and information identifying each machine "did not always match the actual classified equipment", said the DOE report, issued by the department's inspector general, Gregory Friedman. 

The report recommends that the lab enter all classified desktop computers into its property management system and that missing classified machines be immediately reported as required. It also calls on the lab to maintain an accurate centralised listing of all computers used for classified work, and verify and match all property numbers for the classified machines. 

Kevin Roark, a spokesman for the New Mexico lab, said the facility has already made most of the inventory tracking changes. "This issue is largely solved," Roark said. "This problem wasn't that we didn't have the ability to lay our hands on all of our equipment. This was a problem about accounting [for it], about paperwork. The fact is there were no missing computers." 

Michael Kane, associate manager for management and administration at the DOE's National Nuclear Security Administration, said in a letter accompanying the DOE report that his agency concurred with the recommendations. 

The lab has faced several security problems in recent years. 

Last month, two removable computer disks containing classified nuclear weapons data were determined to be missing from the lab, leading to the suspension of most activities there. E-mail security problems were also reported last month. 

Last December, poor record keeping at the lab was blamed after nine classified computer floppy disks and a large-capacity storage disc were found to be missing during a routine inventory of classified electronic storage media at the facility. 

Another incident occurred in June 2000 when computer disks containing classified nuclear information were found to be missing from one of the laboratory's most secure vaults. They were later found behind a photocopier inside the lab. 

The Los Alamos lab is operated by the University of California for the National Nuclear Security Administration of the DOE.

Todd R Weiss writes for Computerworld

Read more on IT risk management