GAO: Los Alamos National Lab's Cybersecurity Lacking
Cybersecurity efforts to protect a leading U.S. nuclear laboratory's classified computer network remain lacking even after a series of security lapses, according to a new report from the U.S. Government Accountability Office.
The Los Alamos National Laboratory, which has suffered multiple security breaches in recent years, continues to have "significant weaknesses ... in protecting the confidentiality, integrity, and availability of information stored on and transmitted over its classified computer network," the GAO said in a report released Friday.
The lab has vulnerabilities in several "critical" areas, including identifying and authenticating users, authorizing user access, encrypting classified information and maintaining secure software configurations, the GAO report said.
"A key reason for the information security weaknesses GAO identified was that the laboratory had not fully implemented an information security program to ensure that controls were effectively established and maintained," the report said.
The lab has not conducted comprehensive risk assessments to ensure against unauthorized use, has not marked the classification level of information stored on its classified network, and has inadequate training for users with security responsibilities, the GAO report said.
In January, there were reports of the theft of three computers from a lab employee's home in Santa Fe, New Mexico. Later reports said as many as 67 computers were missing from the lab.
In July 2007, the U.S. Department of Energy moved to fine the lab for an October 2006 breach that exposed classified data. A contract worker illegally downloaded and removed hundreds of pages of data from the lab using USB thumb drives.
Also in mid-2007, U.S. lawmakers criticized the lab after reports that several officials there had used unprotected e-mail networks to share highly classified information.
There were other security problems at the lab, including instances in 2003 and 2004 when the lab could not account for classified removable electronic media, such as compact discs and removable hard drives.
A lab spokesman did not immediately return an e-mail seeking comment on the GAO report. The DOE's National Nuclear Security Administration (NNSA), while it said it generally agreed with the report, said the lab has made progress in its cybersecurity efforts.
Many of the shortcomings have been addressed, said Michael Kane, associate administrator for the NNSA, in a letter to the GAO. In response to a DOE compliance order issued in 2007, "a number of key technical issues and policy implementation concerns have been or are currently being addressed," Kane said.
The DOE oversees the lab, a multidisciplinary research institution working on strategic science on behalf of U.S. national security. The lab is jointly operated by several groups, including NNSA and the University of California.