Nov 15, 2009

Little to Show for $433 MM Infosec Investment

GAO: Security Weaknesses at Los Alamos Lab's Classified Network

November 13, 2009 - Eric Chabrow, Managing Editor - GovInfoSecurity.com

Los Alamos National Laboratory has spent $433 million to secure its classified computer network between fiscal years 2001 and 2008, according to a report issued Friday by the Government Accountability Office, yet significant weaknesses remain in safeguarding the confidentiality, integrity and availability of information stored on and transmitted over its classified computer network.

The audit, requested by the House Committee on Energy and Commerce, cites Los Alamos' management as saying funding for its core classified cybersecurity program has been inadequate for implementing an effective program during fiscal years 2007 and 2008.

"LANL's security plans and test plans were neither comprehensive nor detailed enough to identify certain critical weaknesses on the classified network," the GAO said in its 39-page report.

The Energy Department-run laboratory in Los Alamos, N.M., also known as LANL, is among the world's largest science and technology institutions that conduct multidisciplinary research for fields such as national security, outer space, renewable energy, medicine, nanotechnology and supercomputing. Along with the Lawrence Livermore National Laboratory, LANL is one of two labs in the United States where classified work designing nuclear weapons takes place.

GAO identified several critical areas where vulnerabilities surfaced, including uniquely identifying and authenticating the identity of users, authorizing user access, encrypting classified information, monitoring and auditing compliance with security policies and maintaining software configuration assurance.

A key reason for the information security weaknesses was that the laboratory had not fully implemented an information security program to ensure that controls were effectively established and maintained, the congressional auditors said.

Among the program's shortfalls identified by the GAO:
  • Lack of comprehensive risk assessments to ensure that appropriate controls are in place to protect against unauthorized use,
  • Not developing detailed implementation guidance for key control areas such as marking the classification level of information stored on the classified network,
  • Inadequate specialized training for users with significant security responsibilities and
  • Insufficiently developing and testing disaster recovery and contingency plans to mitigate the laboratory's chances of being unsuccessful at resuming normal operational standards after a service disruption.
"The laboratory's decentralized approach to information security program management has led to inconsistent implementation of policy, and although the laboratory has taken steps to address management weaknesses, its efforts may be limited because LANL has not demonstrated a consistent capacity to sustain security improvements over the long term," the GAO said.

Among GAO's recommendations: The laboratory fully implement its information security program, centralize management of the classified network and develop a sustainability plan that details how it plans to strengthen recent cybersecurity improvements over the long term.

The National Nuclear Security Administration, the Energy Department unit responsible for the safety of government nuclear sites, generally concurred with the GAO recommendations.

31 comments:

Anonymous said...

The classified networks at LANL are already almost at a standstill in terms of getting any real work done. It takes a minimum of 90 days before any new software can be placed on lab classified computers.

This has resulted in many scientists having to "roll their own" apps to get any work done when new software requirements emerge, which is much more expensive and greatly slows down national security research.

The new LANS software quality assurance thrust of meaningless paperwork to monitor home-grown apps now being shoved down the throats of staff also adds to the delays and will only make things even worse!

Put a fork in it and move along... this place is done!

Anonymous said...

The beatings will continue until morale improves. Might I suggest that LANS order that all computers be taken away from the employees? That will improve the security compliance metrics, no doubt.

Anonymous said...

11:22 LANS has seen fit already to disconnect remote disks each and every time I logon. Frankly, I'd be happier if NNSA DID disconnect all classified computers. At least then the expectation that work is being done would be formally removed. As it is today, customers expect work to be done while the LANS computer security people put up roadblock after roadblock in the name of security. Of course the actual physical and cyber security remains a joke that any high-school dropout could break into simply by following the rules.

Anonymous said...

I think all classified activities should be stopped since LANS has no interest in getting any work accomplished unless it fulfills a well-defined PBI. For example, now all of a sudden Mikey cares about plutonium science ... right.

Anonymous said...

Need more JB Weld. That'll fix yer classified computing cyber security problems.

Anonymous said...

The people at LANL in charge of "infosec" (formerly known as "cyber security" and before that simply "computer security") for decades have known absolutely knothing about security, and very little about computer science or engineering. They rely on contractors to provide one "good idea" after another, but never can see the whole picture as a system approach. Thus JB Weld, (resulting in voided warranties on many millions of dollars of new government computing equipmewnt) "thin clients," locking up your thin clients, locking up the keys to your lock boxes, etc. Until NNSA decides that appropriately trained technical talent is as important in security as it is in science, no improvements are possible.

Anonymous said...

"Until NNSA decides that appropriately trained technical talent is as important in security as it is in science"

I think NNSA has made that decision. They desire identical levels of talent for both.

Anonymous said...

Well I guess that our system is better than the systems at NASA, or perhaps the companies that are working on the F-35 fighter program. Those systems have been hacked into so many times...

On a more pressing and current theme, it suggests that we have an inherent weakness in management! Wasn't that why they increased the contract fee from $8M to $73M with the competition and subsequent award of the contract to LANS?

Anonymous said...

9:13 pm: "Well I guess that our system is better than the systems at NASA, or perhaps the companies that are working on the F-35 fighter program. Those systems have been hacked into so many times..."

There is a major difference - most if not all of those systems are NOT classified. NNSA clasified systems are by policy "air-gapped" - no possible conection between classified and unclassified (i.e., hackable) systems. You can't physically get from the internet to a clasified NNSA system.

Anonymous said...

Watch the November 8 story on 60 Minutes story on cyber security then tell us how all the new policies are simply a conspiracy to make it difficult for you to play in your sandboxes because the "powers that be" do not want you to do anything productive. (And, if you dare, define "productive.") Jeez...

Yes, I know, from the perspective of the self-centered individuals that--for some reason--believe the taxpayers should fund their sandbox playtime without any constraints, this is just government propaganda (no doubt promulgated by D'Agostino or the evil Dr. Mikey).

Quit your whining and get with the program. If you think life is better elsewhere, go there--if you are qualified are to do so. My bet is that most of you whiners are not marketable elsewhere. If you were, you would not be here. (Who are the real "D" students?)

Flame away! (And, if I may say so, you know where you can stick your thumb drive since your USB port is now plugged with J-B Weld!)

Anonymous said...

If the lead sentence of the article is copied from the GAO report, it's a hoot: Los Alamos National Laboratory has spent $433 million to secure its classified computer network...

From the bar chart, the vast majority of the funds have gone into high performance computing, the network itself, etc. Not cybersecurity.

Anonymous said...

The media has decided to dig up all the old "horror stories" about LANL, once again. However, in the story below, they fail to mention the X-Division hard disks found behind a copier after the Great Fire (2000) and the Wen Ho Lee story regarding the Chinese spies (1999). How careless of them.

Must be a slow news weekend....

-

GAO: Los Alamos National Lab's Cybersecurity Lacking

Grant Gross, IDG News Service

Nov 13, 2009 3:00 pm

...In January, there were reports of the theft of three computers from a lab employee's home in Santa Fe, New Mexico. Later reports said as many as 67 computers were missing from the lab.

In July 2007, the U.S. Department of Energy moved to fine the lab for an October 2006 breach that exposed classified data. A contract worker illegally downloaded and removed hundreds of pages of data from the lab using USB thumb drives.

Also in mid-2007, U.S. lawmakers criticized the lab after reports that several officials there had used unprotected e-mail networks to share highly classified information.

There were other security problems at the lab, including instances in 2003 and 2004 when the lab could not account for classified removable electronic media, such as compact discs and removable hard drives.

A lab spokesman did not immediately return an e-mail seeking comment on the GAO report.

www.pcworld.com/article/182176
/gao_los_alamos_national_labs_
cybersecurity_lacking.html

Anonymous said...

*** BREAKING NEWS ***

LANL is officially NO LONGER #1 in supercomputing.

Look what tens of millions of new dollars in stimulus money dedicated for science did at ORNL (story below). Too bad LANL didn't get any of this initial money except for the $212 million for hiring contractor for cleanup who are FOBs (Friends of Bechtel).

BTW, ORNL is in "big time" hiring mode for scientists. Last fiscal year, they were blessed with over 30% greater funding for science and are currently looking for good scientists to do actual research, rather than just NNSA "compliance" busy work. And unlike LANL, they do no production work.... just good science, run by a non-profit institute for only $10 million per year.

~~~~~
ORNL computer is world's fastest

Jaguar upgraded from No. 2 on Top500 list; UT’s Kraken at No. 3

By Frank Munger, November 16, 2009

OAK RIDGE - After a year at No. 2, Oak Ridge National Laboratory's Jaguar has emerged as the world's fastest computer, according to the Top500 rankings unveiled today.

The newly updated Cray XT5 system passed a benchmark test at 1.759 quadrillion mathematical calculations per second - or 1.759 petaflops. That easily surpassed the IBM Roadrunner at Los Alamos National Laboratory in New Mexico. Roadrunner's qualifying speed, 1.04 petaflops, actually declined slightly from the last ranking because of a reconfiguration of the computer.

The University of Tennessee's Kraken supercomputer, another Cray XT5 system that's housed at ORNL and was upgraded at the same time as Jaguar, rose to third on the worldwide list with a benchmark rating of 832 teraflops - or 832 trillion calculations per second.

Release of the new list, which is put together every six months by an international team (that includes UT's Jack Dongarra), was embargoed until early this morning. The formal announcement of the new rankings is to take place this week at the world supercomputing conference in Portland, Ore. Former Vice President Al Gore is scheduled to be a keynote speaker.

Jeff Nichols, ORNL's scientific computing chief, and others from the Oak Ridge lab planned to attend the supercomputing conference.

In an interview before he left for Portland, Nichols was thrilled about Jaguar's No. 1 ranking, which he said would draw more attention to ORNL's leadership role in scientific computing and help continue a strong trend of attracting top talent to the Oak Ridge laboratory.

www.knoxnews.com/news/2009/
nov/16/
ornl-computer-is-worlds-fastest/

Anonymous said...

LANL's Roadrunner is no longer even #2. It's been kicked out by these two new ORNL supercomputers to the lowly third spot on the list... and probably falling fast.

Way to go, LANS! Heckavajob NNSA!
Bonuses for all the top LLC managers!!!

Anonymous said...

While LANL continues its rapid decline into obscurity under a "for profit" LANS/Bechtel and NNSA, it's good to know that at least one national lab is thriving in America.

Anonymous said...

The claims made by the GAO are pretty weak: paperwork gaps, claims of less-than-flawless execution, labeling errors -- basically artifacts of the security system itself. The more security measures you have, the more failures you have. It's a self-reinforcing cycle.

Anonymous said...

From that same Frank Munger Knoxville News story that was released right after 12 midnight (EST):

-
"...With Jaguar and Kraken housed on the Oak Ridge campus, ORNL is the only institution in the world with two petascale supercomputers - each capable of more than a quadrillion (or 1,000 trillion) calculations per second. A third petascale computer is expected to be operating within the next year, thanks to a new $215 million agreement with the National Oceanic and Atmospheric Administration. NOAA has already provided ORNL with more than $70 million to purchase a new supercomputer that will be dedicated to climate research, and the lab is expected to issue a request for proposals from computer vendors by the end of the year."
-

In an earlier story several months back at the Knoxville News, one of the ORNL project managers said during an interview that ORNL is planning to hire over 50 climate scientists so that they can become the premier institution in climate science.

It's mind-boggling to contemplate this level of project growth. Are their even 50 Phd-level climate scientists looking for jobs in the US today?

Anonymous said...

Don't be too dour about this latest supercomputing news. At least LANL is still a "Center of Excellence" in the rapidly growing field of plutonium science!!! ... not that anyone left in power in America is particularly interested in this niche subject.

Anonymous said...

Hey, maybe instead of wasting that enormous $433 million in infosec money, LANS management should have supplied a little of it to help support their flagging super-computing efforts.

At least LANL is still #1 when it comes to the amount of scientific urine produced and measured each day!

Anonymous said...

"My bet is that most of you whiners are not marketable elsewhere. If you were, you would not be here. (Who are the real "D" students?)"

Now this says everything about you Mr 9:59pm and what you think of LANL.

What you are saying is that LANL is not a place for good people. You are not very good at what you do and that is way you are here.

Anonymous said...

It's mind-boggling to contemplate this level of project growth. Are their even 50 Phd-level climate scientists looking for jobs in the US today?

11/15/09 11:06 PM


I don't know, but they could probably entice about a half a dozen or so climate scientists currently working at LANL to join their massive climate modeling efforts.

Anonymous said...

WE'RE NUMBER 3!!!
WE'RE NUMBER 3!!!

With LANS as our leadership,
We generate lots of pee!

Bechtel owns this declining lab,
But only for a fee!

Being only compliance driven,
We'll soon be run by D's!

Anonymous said...

11:22 PM

Please stop drinking and get back on your meds.

Anonymous said...

"11/15/09 11:22 PM"

The 9:59pm guy is just bitter
about what was said earlierf

"For decades have known absolutely knothing about security, and very little about computer science or engineering. They rely on contractors to provide one "good idea" after another, but never can see the whole picture as a system approach."

It must really hit home with this idiot who can never leave the lab. I really like the 60min remark!

Anonymous said...

We're number 3? Don't bother me with trivial stuff like that. I'm trying to figure out how to get 5% attrition at LANL this year and plan the big layoffs for next!

- MIKEY

Anonymous said...

It's interesting to note that ORNL decided to go the route of using mainline Intel/AMD quad processors and is getting on the huge GPU-accelerated bandwagon that is storming the computer industry. GPU-acceleration is now being utlitized on commercial products on desktop PCs and is the "Next Big Thing" in industry standard computer hardware.

LANL has a history of continually picking orphaned hardware for their "supers".

ASCI-Q was based on the orphaned Digital Equipment "Alpha" chip and LANL managers continued with its construction even though they knew the Alpha processors production was being shut down by Digital/HP.

Roadrunner gets its speed by using highly specialized processors containing a modified version of the fading PowerPC CPU along with the odd-ball Cell processor, which is devilishly hard to program!

ORNL is taking the smarter route and it looks like it has paid off very well for them. The champagne corks are popping off in Oak Ridge this afternoon.

Anonymous said...

11:00 AM: "ORNL is taking the smarter route and it looks like it has paid off very well for them. The champagne corks are popping off in Oak Ridge this afternoon."


Yes, but do they wear those shoes that GRIP(!) at ORNL and spend their days taking endless numbers of online training classes? Do they stuff JB Weld in all their USB ports and cripple their lab laptops? And where are their Work Free Safety Zones and out-sized salaries for lab executives and what about the necessary huge profit fees for a partnering construction company?

No, it's clear that ORNL is obviously not a top national lab. This super-computer news is just a flash in the pan.

Anonymous said...

Actually, Roadrunner is only at number 2, not 3. The UT/ORNL Kraken system took the third spot. It's interesting to note, however, just how much faster ORNL's Jaguar super rated over LANL's Roadrunner. They pulled ahead by a pretty high margin.

Anonymous said...

Well, ok 12:00pm. But they have compilers for Kracken that can actually compile code that will take advantage of the hardware without having to hand code every little bit like we have to do with Roadrunner to use the cell & ppc hardware effectively.

A more important measure of usefulness would be how long it takes to get an application running efficiently. Which machine would you prefer to work on: Roadrunner, or Kracken? I know which one I like, and it's not Wiley E. Coyote's little buddy.

Roadrunner: cute name; bad architecture.

Anonymous said...

Little to show for the $433 million spent/invested? Are you kidding me? A few more millionaires in our midst ain't nothing to sneeze at! A few more Beemers, a few more exotic training trips with the secretary. Money well spent no matter how you measure it.

Anonymous said...

Damn, think of all the new "glove box" desktop computers this money would have purchased. We could have bought the whole JB Weld company and started handing out super-sized tubes of the stuff to all our staff members.