recommended reading

Network at Los Alamos vulnerable to attacks

Unclassified information on a network the Los Alamos National Laboratory operates is susceptible to unauthorized access because of major information security weaknesses, according to a Government Accountability Office report released on Friday. Among the problems GAO cited was the large number of foreign nationals from countries the government deems sensitive who have access to the network.

Comment on this article in The Forum.Los Alamos has made progress to improve security and to detect threats, but vulnerabilities such as identifying and authenticating network users, encrypting sensitive information, and restricting physical access to computer resources remain, according to the GAO report. For example, while Los Alamos implemented strong authentication measures for accessing the network, once a user has accessed the network, he or she could create a simple password that would allow them to access sensitive information.

The lab is a national security facility located in Los Alamos, N.M., whose core mission is to ensure the safety and reliability of the nuclear weapons stockpile. Los Alamos employs more than 12,000 people in 2,700 buildings and has an annual operating budget of about $2 billion. Its unclassified network contains sensitive information, including unclassified but sensitive nuclear information, data on nuclear reactor safeguards, the military's critical technology list, confidential foreign government information, and personally identifiable information on lab employees.

"Owing to the nature of the research and development conducted at [Los Alamos], the information on the unclassified network presents a valuable target for foreign governments, terrorists and industrial spies," GAO noted.

The agency detailed a number of weaknesses in the laboratory's information security program, including the absence of adequate risk assessments and effective policies to govern information security.

GAO highlighted as an issue the large number of foreign nationals who have access to the lab's unclassified network. As of May 2008, 688 foreign nationals, including more than 300 from countries identified as sensitive by the Energy Department, including Russia, China and India, were granted network access. Energy identifies countries as sensitive based on national security, nuclear nonproliferation or terrorism concerns.

"The number of foreign nationals who have access to the unclassified network has raised security concerns among some laboratory and [the National Nuclear Security Administration, which operates the Los Alamos lab] officials because of the sensitive information contained on the network," GAO reported.

Los Alamos spent more than $51 million from 2001 to 2007 to protect its unclassified network, but the lab's cybersecurity officials told GAO that funding had been inadequate to address some of their security concerns. In response, NNSA's chief information officer told the agency that Los Alamos had not adequately justified its requests for additional funds to address the lab's shortfalls. NNSA also said the lab's past budget requests were "prepared on an ad hoc basis and were not based on well-defined threat and risk assessments."

In 2006, NNSA implemented a more systematic approach to developing cybersecurity budgets across the nuclear weapons complex, including Los Alamos. The report said, however, the agency still has not provided guidance that clearly lays out spending priorities. GAO made 41 recommendations, including Los Alamos conducting a risk assessment and strengthening its information security policies. NNSA did not comment specifically on the recommendations but agreed with the general conclusions of the report.

Threatwatch Alert

Stolen credentials

Hackers Steal $31M from Russian Central Bank

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.