GAO calls for laboratory to restrict access to foreign nationals.
Unclassified information on a network the Los Alamos National Laboratory operates is susceptible to unauthorized access because of major information security weaknesses, according to a Government Accountability Office report released on Friday. Among the problems GAO cited was the large number of foreign nationals from countries the government deems sensitive who have access to the network.
Comment on this article in The Forum.Los Alamos has made progress to improve security and to detect threats, but vulnerabilities such as identifying and authenticating network users, encrypting sensitive information, and restricting physical access to computer resources remain, according to the GAO report. For example, while Los Alamos implemented strong authentication measures for accessing the network, once a user has accessed the network, he or she could create a simple password that would allow them to access sensitive information.
The lab is a national security facility located in Los Alamos, N.M., whose core mission is to ensure the safety and reliability of the nuclear weapons stockpile. Los Alamos employs more than 12,000 people in 2,700 buildings and has an annual operating budget of about $2 billion. Its unclassified network contains sensitive information, including unclassified but sensitive nuclear information, data on nuclear reactor safeguards, the military's critical technology list, confidential foreign government information, and personally identifiable information on lab employees.
"Owing to the nature of the research and development conducted at [Los Alamos], the information on the unclassified network presents a valuable target for foreign governments, terrorists and industrial spies," GAO noted.
The agency detailed a number of weaknesses in the laboratory's information security program, including the absence of adequate risk assessments and effective policies to govern information security.
GAO highlighted as an issue the large number of foreign nationals who have access to the lab's unclassified network. As of May 2008, 688 foreign nationals, including more than 300 from countries identified as sensitive by the Energy Department, including Russia, China and India, were granted network access. Energy identifies countries as sensitive based on national security, nuclear nonproliferation or terrorism concerns.
"The number of foreign nationals who have access to the unclassified network has raised security concerns among some laboratory and [the National Nuclear Security Administration, which operates the Los Alamos lab] officials because of the sensitive information contained on the network," GAO reported.
Los Alamos spent more than $51 million from 2001 to 2007 to protect its unclassified network, but the lab's cybersecurity officials told GAO that funding had been inadequate to address some of their security concerns. In response, NNSA's chief information officer told the agency that Los Alamos had not adequately justified its requests for additional funds to address the lab's shortfalls. NNSA also said the lab's past budget requests were "prepared on an ad hoc basis and were not based on well-defined threat and risk assessments."
In 2006, NNSA implemented a more systematic approach to developing cybersecurity budgets across the nuclear weapons complex, including Los Alamos. The report said, however, the agency still has not provided guidance that clearly lays out spending priorities. GAO made 41 recommendations, including Los Alamos conducting a risk assessment and strengthening its information security policies. NNSA did not comment specifically on the recommendations but agreed with the general conclusions of the report.