Los Alamos Leak Scrutinized
Latest security breach has agency soul-searching and looking at 'libraries' for disk storage
July 15, 2004
A new strategy for storing removeable media could result from a meeting today between representatives from Los Alamos National Laboratory and brass from the University of California.
The meeting between the lab and the university, which manages the lab under contract with the U.S. Department of Energy, is the latest action taken in the wake of a security breach last week -- the third and most serious in eight months. The previous breach, back in May, involved 11 items of "classified removeable electronic media" (CREM) that didn't contain any potentially harmful information (see Fed Disk Debacle's an ILM Cue).
Last Friday, though, Los Alamos reported that two items of CREM were missing from the lab's Weapons Physics Directorate -- and apparently, that's every bit as scary as it sounds, since the missing secrets relate to weapons the lab is currently developing.
The lab won't say whether those devices were floppies or portable hard drives, and spokesmen for both the lab and the university say internal and external investigations are underway.
Lab spokesman Kevin Roark says the lab is trying hard to eliminate its reliance on CREM and has earmarked $26 million to $30 million for a project that's scheduled to take place over a three- to four-year period. The goal is to move away from using CREM, of which the lab currently has more than 40,000 separate items on its inventory.Roark says the project is "a huge deal," since lab personnel rely on CREM to get their work done.
This raises questions about why Los Alamos hasn't turned to a more sophisticated way to control user access before. After all, it's frequently cited as an early adopter of networked storage technology, including clustered NAS gear from Panasas Inc. and state-of-the-art I/O connectivity, which adds to the puzzle of why it has such trouble tracking end users (see Panasas and Top500 Supercomputer List Relaunched).
Now the lab is looking more closely at the problem -- hopefully, not too late to avoid compromising national security. Among the solutions the lab's management is exploring are the following:
Reclassifying data, cutting down on the important information located on portable storage
Consolidating CREM in libraries, so users would have to "check out" disks, adding another level of security
Equipping folk with KVM (keyboard, video, and mouse) switches to allow remote access to data without removing it
Roark says there are no plans to issue a formal RFP for the CREM libraries, but it could herald a major pitchfest for makers of disk libaries such as Fujitsu Siemens Computers, IBM Corp. (NYSE: IBM), Storage Technology Corp. (StorageTek) (NYSE: STK), and a host of others with disk-based backup and virtual tape systems that feature complex controls for user access.
The topic of access will no doubt come up at today's meeting, scheduled for 10 a.m. Pacific time in California. On the agenda: Los Alamos director George P. Nanos will speak with University of California vice president for laboratory management Robert Foley and UC Regents' chair Gerald L. Parsky about means of controlling security at the lab.One topic will be the possible appointment of a special assistant from the university to oversee security and identify areas that could be beefed up. According to Chris Harrington, a spokesman for the UC office of the president, the candidate for the job is Jack Killeen, the general manager of Protection Technologies Los Alamos, a lab subcontractor. If approved, he'll report directly to Foley.
Killen's proposed appointment, however, could raise an outcry from government agencies that have sharply criticized UC and the current management for the security problems at the lab. UC is contracted to manage the lab until 2005.
Killeen, or whoever tackles the security crisis at Los Alamos, will have to confront human and well as technological issues. "Ultimately, no matter what kind of controls you put on CREM, it all comes down to personal responsibility," Roark says. The lab management has indicated it will deal forcefully with what it sees as a "willful disregard" for policies and procedures that are in place to ensure security -- such as personnel losing track of sensitive floppies.
So far, there aren't any culprits. Lab spokesman Kevin Roark said it's far too early to tell what will happen to personnel responsible for the breach, or whether any formal charges will be pressed by the U.S. Department of Justice against the management of the lab.
Stay tuned for developments as they occur.Mary Jander, Site Editor, Byte and Switch
You May Also Like