Jul 14, 2007

LANL faces huge fine in security breach

One more, for good measure. In the New Mexican's version we get to read how Mike plans to make everything right.




By ANDY LENDERMAN | The New Mexican
July 13, 2007

Two management groups could pay $3.3 million in DOE penalties for violations

Federal officials have fined the managers of Los Alamos National Laboratory $3.3 million for allowing a major security breach of classified information last year.

The $3 million fine for the University of California is the largest ever by the U.S. Department of Energy. Los Alamos National Security, LLC, which took over management of the lab from the university in June 2006, was fined $300,000. The university and Los Alamos National Security have 30 days to appeal the fine to the Energy Department and then could appeal to a U.S. District Court.

Los Alamos National Security committed seven security-related violations ranging from failing to protect data ports to failing to assure physical security, the acting administrator of the National Nuclear Security Administration said in a letter Friday, and the University of California committed five similar violations.

The agency found “deficiencies in security controls” by Los Alamos National Security “were a central factor in the thumb drive security breach discovered in October 2006.” Former contract worker Jessica Quintana, who had a high-level security clearance, downloaded and printed classified information from a vault-type room at the lab in July 2006, according to her federal plea agreement. The information was found at Quintana’s home in October by police investigating an unrelated case, according to the plea agreement. She pleaded guilty to a misdemeanor charge of unauthorized removal and retention of classified information.

The violations created “vulnerabilities that led to the potential loss of national security interests,” agency administrator William Ostendorff wrote Friday to lab director Michael Anastasio.

“This incident is particularity troubling because many of the violations cited in the (notice of violation) are of the same nature as other performance deficiencies that have occurred at LANL in the areas of safety and security,” Ostendorff wrote.

In response, the lab stressed its managers are working to fix the problem.

“In addition to creating a new organization to oversee cybersecurity, the laboratory has already taken important, aggressive actions to reduce the total amount of its classified holdings and to consolidate those holdings into as few areas as possible without damaging productivity,” lab spokesman Kevin Roark said in a news release.

The new cybersecurity team reports directly to Anastasio, and the lab is working on completion of its first “super vault-type room.”

“The history of problems and violations concerning the protection of classified information at LANL are matters of deep concern to the department,” Ostendorff wrote to Anastasio. “We expect dramatic improvements in (Los Alamos National Security’s) performance … .”

The University of California intends to outline its “concerns and objections” about the fine to the Energy Department, spokesman Chris Harrington said.

“The content of our response will be informed by the fact that the incident at issue occurred in October 2006 — after the university’s management contract ended in May 2006 — and that the incident involved the individual behavior of a subcontracted, non-UC/LANL employee,” Harrington said in a statement.

The university was assessed the much larger fine because investigators determined the security deficiencies that led to the October 2006 incident were established while it was the prime contractor. The investigation also found the new management team did not correct the vulnerabilities it inherited.

U.S. Sen. Pete Domenici, R-N.M., said the security breaches and the department’s response “are a wake-up call for the entire weapons complex. The proposed reforms being developed by the energy secretary to improve security should be implemented complexwide.”

Domenici is pushing for $67 million in new money for security upgrades at the lab in fiscal 2008.

“It’s unfortunate that it has gotten to the point where DOE has had to impose fines on the lab’s management,” U.S. Sen. Jeff Bingaman, D-N.M., said in a statement. “DOE has also issued an extensive list of areas where improvements must be made. I hope these actions will have the intended effect of dramatically improving security at every level, and that all LANL employees will step up to ensure successful compliance.”

Pete Stockton of the Project on Government Oversight said he’d like to see the fines paid. “The important thing is to recognize that there’s a pattern here. … And some (other security errors) were potentially far worse,” he said.

Last month, two Democratic congressmen reported that officials of Los Alamos National Security apparently used open e-mail networks to share classified information related to nuclear material.

The penalties announced Friday “will hopefully serve as reminders that breaches in the security and safety of our national laboratories will not be without consequence,” U.S. Rep. Tom Udall, D-N.M., said in a statement.

The Associated Press contributed to this article.

Contact Andy Lenderman at 995-3827 or alenderman@sfnewmexican.com.


Anonymous said...

UC and NNSA are sitting on a sequence of major security violations at Livermore.
Biggest coverup I've ever heard about.

Anonymous said...


I happen to be fairly close to security and have no clue what you are talking about.

All IMIs are reported up the chain (as they are at LANL, SNL, etc...)

Anonymous said...

You don't know about it so it didn't happen. Gee, when have I heard that before?

Anonymous said...

Let's put it this way.....

When a security incident happens, we are the ones that tell U.C., LSO, and NNSA about it. So, unless it is a whistleblower (which is always possible), I have no clue what you (either 1:49 or 6:54) are talking about.

If you have something substantial to say regarding this "coverup," please do. Otherwise, more entropy on the blog, which is approaching a world record as far as I can tell.

Anonymous said...

" Anonymous said:
UC and NNSA are sitting on a sequence of major security violations at Livermore. Biggest coverup I've ever heard about.
7/14/07 1:49 PM"

See, here's the thing about security. When there are problems, the nature and extent of those problems are typically kept as quiet as possible while a solution is found - this is SOP and necessary to prevent a flood of further exploits. If you have such information, espousing it as a coverup is in itself detrimental to security.

Try this; offer up a solution if you can. Go where it counts, make a case, and help solve the problems. If you've done this and been ignored or harmed, you might have something worthwhile to share with the world. But it's still your obligation to help ensure the security of the nation's secrets.

Anonymous said...

This post from the previous article about the fines alludes to a coverup. And the S Division leader at the time has been promoted to AD.

Why shouldn't UC be fined the largest amount? They were the most responsible. The USB vulnerability in the secure was reported to S-11 in fall 2005. UC was managing LANL at that time, so the S-11 folks who did nothing were UC employees. DOE knows that the report was made, and they fined the appropriate entity the largest amount.

UC will not have to pay, and the clueless S-11 folks who did nothing still have jobs.

The DOE knows about the coverup and that's why UC got the big fine. The Congressional delegation knows about the coverup, but so far only Pete has chimed in.

The bottom line is that the vulnerability was reported, there were suggestions made as to how to prevent exploiting it, and they were ignored. Sounds like a coverup to me.

People have been promoted and/or been given raises, not just in S but in the division the person who made the report worked for (as a contractor). The vulnerability was not exploitable in that division. The contractor was ignored and then harmed. So now what, 7//14/07 at 8:48 pm, legal action? Letters to the Monitor and Albuquerque Journal, naming names? How much more harm could LANL do to the contractor who is now an ex-contractor?

Anonymous said...

10:55 a.m.

Let's not confuse LANL and LLNL. The original post alleged a coverup at LLNL.

Also, unlike PAAA, there is no waiver for 10CFR824 violations as a public entity as far as I can tell. U.C. will be paying.

Anonymous said...

7/15/07 10:55 AM, don't give too much credit to those who failed to act appropriately; ignorance (I mean that pejoratively) does not a coverup make. Given the rash of security-related missives I've seen at LANL, I'm pretty comfortable with my view of 'security' coming down to knee-jerk reactions that don't really accomplish anything except to inhibit work.

I realize people are abused for pointing out problems and being critical. Retribution is nothing new, and fear of same keeps most people quiet. How sad. Instead of well-reasoned concerns, people murmur and hide.

As for your ex-contractor example, I said nothing of that person's remedy. I'm not sure how that is germane to these comments.